GPO

From wiki.adammorgan.org
Jump to: navigation, search

Microsoft Group Policy - notes and stuff.

Misc

Administrative Templates

  • adm files: to use custom/downloaded .adm files, simply place them in their own folder inside the sysvol\policies folder, for example:
\\myorg.net\sysvol\myorg.net\Policies\msoffice
  • You may have to right-click adminstrative templates in GPMC and select "add/remove templates"?
  • admx & adml files: .admx files differ from .adm files in that they split some of their settings into a separate .adml file (to support multiple languages)[2]. These files must be placed in the following folders on LEADC01:
Put .admx files in:  %systemroot%\PolicyDefinitions
Put .adml files in:  %systemroot%\PolicyDefinitions\en-US
  • If GPMC is already open, close and re-open it. The new admx/adml files' settings should now be somewhere under[computer settings or user settings]\administrative templates. You don't have to right-click and select "add/remove templates".

Fast Logon Optimization

  • Fast Logon Optimization (XP, 7 ,8) - means that group policy is processed at the same time as when the processor is performing other tasks to get the computer booted up into a usable state.
    • turned-on by default.
    • Ref: http://technet.microsoft.com/en-us/library/jj573586.aspx
    • to disable this, enable "enable “Always wait for the network at computer startup and logon” in Computer Configuration\Administrative Templates\System\Logon
    • xp should always disable FLO if a logon script is defined.
    • To be honest, I have never seen logon scripts disable FLO by default, but here is a way you can verify. FLO is simply foreground Asynchronous GP processing with a fancy name. Look in the registry, right after you logon on one of these systems running logon scripts where FLO is supposed to be disabled, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\<SID of your current User>. In there, there will be a value called "PrevRefreshReason". If that value is set to 2, it was an FLO logon. If 1, then FLO was disabled.(Darren Mar-Elia MS-MVP, Group Policy www.gpoguy.com www.sdmsoftware.com - "The Group Policy Experts")
  • also check registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\WaitForNetwork=1
  • Disable user/computer settings if not applicable. This speeds-up processing a bit: if a GPO has only computer settings, disable its user settings, and vice-versa.
  • If a computer isn't connected to the network, it can waste a surprising amount of time attempting to map a network drive it cannot reach. Use item-level targeting to specify that drive mapping should occur only if the computer has a valid IP for the internal network.

Startup and Logon script-processing

The most important script-processing settings are: Computer Configuration\Administrative Templates\System\Logon\Run startup scripts asynchronously

  • When enabled, startup scripts can run simultaneously, which can cause unpredictable problems. It's safest to force startup scripts to run one-at-a-time.
  • Defaults to disabled.
  • This settings applies to scripts in different GPOs, and to scripts in the same GPO (all startup scripts run one-at-a-time in synchronous processing mode).
  • Ref: http://msdn.microsoft.com/en-us/library/ms811602.aspx

Run logon scripts synchronously Computer Configuration\Administrative Templates\System\Logon\Run logon scripts synchronously

  • Directs the system to wait for logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. If you enable this policy, Windows Explorer does not start until the logon scripts have finished running. This setting assures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. If you disable this policy or do not configure it, the logon scripts and Windows Explorer are not synchronized and can run simultaneously.
  • This policy appears in the Computer Configuration and User Configuration folders. The policy set in Computer Configuration takes precedence over the policy set in User Configuration.

Configure Logon Script Delay

  • In Windows 8.1 and later, logon scripts run 5 minutes after logon by default (again, to make logon "seem" faster). It's damned confusing if you don't know about this setting. If your scripts are well-written, it shouldn't matter. Disable it by setting it to 0.
    • Setting Path: Computer Configuration/Administrative Templates/System/Group Policy
    • Setting Name: Configure Logon Script Delay
    • Supported On: At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

Script-processing: other notes

  • If logon scripts don't run synchronously in win7, try this fix: [3]
  • GPO processing order: links applied to an OU run bottom-first. The link order #1 runs LAST (and therefore has highest precendence because it's the last applied, and overwrites conflicting settings in other links).

Pushing-Out Certificates

  • Example: Push-out a trusted root (CA) cert [4]

Troubleshooting

  • Xbootmgr - Analyze Windows boot process, diagnose long startup times.

Reference

Identifying GPOs

  • Find GPO by GUID.
cscript "C:\Program Files\Microsoft Group Policy\GPMC Sample Scripts"\DumpGPOInfo.wsf {446D667F-A290-47A1-B0DB-390290AB0C25}
  • To list all gpo's and their GUID's:
dsquery * -filter "(objectCategory=groupPolicyContainer)" -attr displayName objectGUID -limit 0

List of known/generic GPO GUIDs

31B2F340-016D-11D2-945F-00C04FB984F9          Default Domain Policy
6AC1786C-016F-11D2-945F-00C04fB984F9          Default Domain Controllers Policy

Rule-Out Problematic Scripts

Since local group policy overrides domain group policy, you can make startup scripts visible on a single computer. Use gpedit.msc to specify the following setting:

Win7: Computer Configuration\Policies\Administrative Templates\System\Scripts\
     "Run startup scripts visible" = "yes"

Logs

To view group policy client logs on a workstation,

  • WinXP: use Userenv.log
  • Win7: Windows 7 does detailed logging for group policy events by default. [5] You can view them in event viewer under:
Applications and Services Logs\Microsoft\Windows\Group Policy\Operational

Using gpLogView to trace an event back to a GPO

Ensuring GPO version is consistent between servers

If GPO changes don't replicate properly, you could have an older version on one or more servers. You can use Replmon (from Windows Support Tools) to see if you have two versions of the GPO (eg. one is v2 and the other is v9). Just copy the newer files from server 1 manually to the sysvol folder of server 2 to resolve.

File sharing disabled

Above all else make sure of this, Go to Control Panel > Network connections > Advanced > Advanced settings and make sure that your internal connection has Windows File and Print Share turned on. If not your Group Policy share isn't going to work.

Event 6006 from Winlogon

Eventvwr\Application log: "winlogon notification subscriber <GPClient> took x second(s) to handle the notification event (CreateSession)." Often accompanied by 6005 events.

  • Try Computer Configuration\Policies\Administrative Templates\System\Scripts\Run logon scripts synchronously = disabled.
  • disabling ipv6 is also listed as a possible fix by many people.
  • folder redirection can cause this.
  • In Vista and Server 2008, a lock on the Service Control Manager (SCM) database can cause this. See explanation [6] and hotfix [7]
  • Windows updates can cause this, especially if the workstations receive an update for the GPO client side extensions without the accompanying update being installed on the server. You can have problems anytime the GPO-related components on a workstation get updated to a later version than those on the server.

GPMC Error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory

  • Error may occur when you open GPMC or select a specific policy.
  • See technet article: https://support.microsoft.com/en-us/kb/2838154
  • Often caused when "authenticated users" have the "list object" permission for the sysvol folder of the policy, but do not have read access in the policy's "Delegation" tab in GPMC.
  • Possible solution: In GPMC, go to "Delecation" tab, hit "advanced", add "Authenticated Users" and give them read access.

Registry Items

Under Computer or User Preferences, you can add registry items one-by-one. Here are syntax examples for adding trusted domains in IE:

- Registry value to add:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myorg.net]
"*"=dword:00000002
- GUI selections to create this value:
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myorg.net
Value Name: *
Value Type: dword:00000002

Here's an example that matches everything under a subdomain (internal.myorg.net) (matches wiki.internal.myorg.net, web.internal.myorg.net, etc):

- Registry value to add:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myorg.net\*.internal]
"*"=dword:00000002
- GUI selections to create this value:
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myorg.net\*.internal
Value Name: *
Value Type: dword:00000002

Another way to do this is to apply a .reg file as a startup or logon script:

Script: Regedit.com
Parameters: /s myregkey.reg