1 00:00:03,090 --> 00:00:08,970 So in this module, I'm going to spend some time talking about a topic that is an unfortunate side effect 2 00:00:09,000 --> 00:00:10,380 of using group policy. 3 00:00:11,330 --> 00:00:15,890 And that's that sometimes you're going to run into problems when you apply group policy. 4 00:00:16,830 --> 00:00:18,470 And you need to have the skills. 5 00:00:18,510 --> 00:00:22,200 You need to know where to look and how to solve some of those basic issues. 6 00:00:23,210 --> 00:00:27,650 So in this module, we're going to talk about some common group policy problems. 7 00:00:28,580 --> 00:00:31,880 And I like to break those into three different categories. 8 00:00:32,900 --> 00:00:38,270 Server side problems, which are essentially things that are happening as you're defining group policy 9 00:00:38,270 --> 00:00:39,860 objects and deploying them. 10 00:00:40,770 --> 00:00:46,200 Client side problems, which are the things that happen at the machine that's processing policy? 11 00:00:47,130 --> 00:00:51,390 And then what I affectionately referred to as Adnan Syed problems. 12 00:00:52,380 --> 00:00:57,030 Which are those things that we as admins do that can cause group policy to not work? 13 00:00:58,000 --> 00:01:00,010 So let's dig into each of these. 14 00:01:01,010 --> 00:01:04,820 So on the server side, the most often thing that I have seen is. 15 00:01:05,800 --> 00:01:12,160 Issues with the sizable portion of the GPO replicating across all the main controllers consistently. 16 00:01:13,130 --> 00:01:16,820 So this was a huge issue in the world of NTFS. 17 00:01:17,830 --> 00:01:24,610 Which is the NT file replication service that was responsible for replicating sensible and DFS content 18 00:01:24,610 --> 00:01:25,600 for many years. 19 00:01:26,560 --> 00:01:31,060 And in fact, a lot of shops still run sizable on NTFS. 20 00:01:32,060 --> 00:01:38,630 Even though I think since server 2008 or two, this new model has been or new technology called FSR 21 00:01:38,630 --> 00:01:39,470 has been around. 22 00:01:40,470 --> 00:01:43,230 It takes some work to get to FSR. 23 00:01:44,230 --> 00:01:49,780 So if you haven't already converted cessful to SA replication, I highly recommend it. 24 00:01:50,730 --> 00:01:54,300 As it usually makes the server side problem go away. 25 00:01:55,230 --> 00:01:58,290 The other issues that I've seen, DNS issues. 26 00:01:59,290 --> 00:02:03,070 So this is as much a client side issues as a server side issue. 27 00:02:03,130 --> 00:02:05,620 But if your DNS infrastructure is not. 28 00:02:06,560 --> 00:02:07,730 Working properly. 29 00:02:07,730 --> 00:02:13,340 If the records for your discs aren't registered, then clients can't find discs and they can't find 30 00:02:13,340 --> 00:02:14,240 group policy. 31 00:02:15,220 --> 00:02:19,600 So that's a key piece, just like it is for Active Directory in general. 32 00:02:20,570 --> 00:02:26,510 DNS is a big, you know, piece of the puzzle when it comes to troubleshooting server side issues. 33 00:02:27,460 --> 00:02:31,930 And then GPL corruption is something that happens very infrequently. 34 00:02:32,850 --> 00:02:38,880 And what this essentially is, is usually, again, through some file replication glitch or some other 35 00:02:38,880 --> 00:02:40,890 problem while you're editing a GPO. 36 00:02:41,800 --> 00:02:45,760 The actual files that store the GPO settings can get corrupted. 37 00:02:46,710 --> 00:02:50,760 And when the client goes to read them, they just simply give up and fail. 38 00:02:51,730 --> 00:02:55,540 So they they just can't make heads or tails of the setting files. 39 00:02:56,510 --> 00:02:59,960 And just, you know, not expecting that kind of situation. 40 00:02:59,960 --> 00:03:02,090 They just the client just fails. 41 00:03:03,090 --> 00:03:07,380 So that those are issues that happen that you sort of have to keep an eye out for. 42 00:03:08,330 --> 00:03:14,240 And again, this notion of the server side pieces of group policy and the two parts of group policy. 43 00:03:15,230 --> 00:03:21,170 The ad and Siskel part are getting out of sync or just not having replicated to all Dickies yet. 44 00:03:22,130 --> 00:03:27,470 When a client is expecting to see those new settings is an issue that you have to keep an eye out on. 45 00:03:28,450 --> 00:03:35,050 So you've got this part of the GPO and add that these group policy container objects under system policies 46 00:03:35,050 --> 00:03:35,680 container. 47 00:03:36,640 --> 00:03:41,080 And then you've got a corresponding folder in system for each GPO. 48 00:03:41,960 --> 00:03:44,780 And these exist on every domain controller. 49 00:03:45,750 --> 00:03:51,960 And need to be essentially in in sync and consistent for policy to process correctly on every client. 50 00:03:52,930 --> 00:03:57,730 And remember that clients will go preferentially to their closest domain controller. 51 00:03:58,740 --> 00:04:04,320 So if you've got a change that originates on a PDC emulator DC in your data center. 52 00:04:05,290 --> 00:04:06,940 And you're waiting to see the change. 53 00:04:06,940 --> 00:04:09,730 Make it out to our branch office in Timbuktu. 54 00:04:10,670 --> 00:04:16,640 Well, that Deasy in Timbuktu has to have the change replicated to it before that client over there 55 00:04:16,640 --> 00:04:17,570 can process it. 56 00:04:18,570 --> 00:04:23,700 So these are just, you know, piece of the puzzle that you have to keep in mind when you're deploying 57 00:04:23,700 --> 00:04:24,570 group policy. 58 00:04:25,530 --> 00:04:28,290 Now on the client side, much more frequent. 59 00:04:28,290 --> 00:04:32,610 Do I see these kind of client side issues that cause problems with group policy? 60 00:04:33,540 --> 00:04:35,670 And they have a myriad of causes. 61 00:04:36,670 --> 00:04:42,460 So everything from the network stack not coming up or initializing on the network as the machine is 62 00:04:42,460 --> 00:04:42,970 booting. 63 00:04:43,860 --> 00:04:50,310 And that will typically result in failed computers, side processing CSC failures. 64 00:04:50,310 --> 00:04:52,800 So clients side extensions when they run. 65 00:04:53,750 --> 00:04:59,210 You'll remember from an earlier module, I talked about the core part of group policy processing, which 66 00:04:59,210 --> 00:05:01,520 figures out which GPOs apply. 67 00:05:02,420 --> 00:05:08,720 And then the client side extension part or each client side extension that's responsible for each policy 68 00:05:08,720 --> 00:05:10,070 area runs in turn. 69 00:05:11,000 --> 00:05:16,190 And if a particular client side extension is processing three or four GPOs. 70 00:05:17,110 --> 00:05:22,900 And one of those GPUs has corrupted setting storage that's going to cause all of them to fail. 71 00:05:23,830 --> 00:05:25,270 It'll simply give up. 72 00:05:26,260 --> 00:05:30,280 So those kinds of CSC failures can happen from time to time. 73 00:05:31,210 --> 00:05:36,850 The other one that's a little bit trickier is that, you know, you're trying to figure out why a particular 74 00:05:36,850 --> 00:05:38,770 policy setting isn't working. 75 00:05:39,670 --> 00:05:45,520 It may have actually applied successfully, but the impact or the effect you were expecting on it wasn't 76 00:05:45,520 --> 00:05:46,150 the case. 77 00:05:47,130 --> 00:05:50,820 Or wasn't consistent with what actually happened on the machine. 78 00:05:51,740 --> 00:05:57,530 And this can be tricky because sometimes you set a, let's say, a generic policy setting for the Explorer 79 00:05:57,540 --> 00:05:58,010 shell. 80 00:05:58,960 --> 00:06:05,200 And the thing in the Explorer simply doesn't respect the policy or doesn't or or there's some unintended 81 00:06:05,200 --> 00:06:07,660 side effect because you set that policy. 82 00:06:08,670 --> 00:06:14,250 So this can be a little bit tricky to troubleshoot and you sort of have to trial and error it by turning 83 00:06:14,250 --> 00:06:15,120 off the setting. 84 00:06:16,050 --> 00:06:18,570 CSC Bugs, these do happen. 85 00:06:19,530 --> 00:06:24,150 Client side extensions do get bugs in them just like any other software. 86 00:06:25,110 --> 00:06:27,240 And sometimes things just don't work. 87 00:06:28,200 --> 00:06:29,550 And it's not your fault. 88 00:06:29,670 --> 00:06:31,230 It's Microsoft's fault. 89 00:06:32,250 --> 00:06:34,440 So that's just something to be aware of. 90 00:06:35,390 --> 00:06:41,240 And then, you know, the a pretty common one, which is that the machine account loses its trust with 91 00:06:41,240 --> 00:06:41,960 the domain. 92 00:06:42,880 --> 00:06:47,290 And this is, you know, simply all group policy processing fails. 93 00:06:48,240 --> 00:06:54,120 And that it's a pretty obvious one, but it's one to keep in mind because sometimes you don't expect 94 00:06:54,120 --> 00:06:55,170 that to be the reason. 95 00:06:56,060 --> 00:07:00,620 And once you rejoin the machine to the domain, everything starts working again. 96 00:07:01,540 --> 00:07:05,410 And then finally those Adnan Syed problems that I talked about. 97 00:07:06,410 --> 00:07:12,050 So perfectly normal for there to be user error in in GP considering the complexity of it. 98 00:07:13,010 --> 00:07:15,800 And this ranges from the easy to the hard. 99 00:07:16,760 --> 00:07:19,520 So targeting errors are by far the most common. 100 00:07:19,520 --> 00:07:20,150 I see. 101 00:07:21,090 --> 00:07:26,640 Which is that folks confuse the fact that everything under computer configuration will only apply to 102 00:07:26,640 --> 00:07:27,810 computer objects. 103 00:07:28,810 --> 00:07:34,570 So they'll have a bunch of computer settings that they link to an IOU that only contains user objects. 104 00:07:35,500 --> 00:07:38,170 And they wonder why those settings don't apply. 105 00:07:39,100 --> 00:07:41,200 While it's exactly for that reason. 106 00:07:42,160 --> 00:07:43,510 Or filtering errors. 107 00:07:43,630 --> 00:07:49,840 They've set a group policy or a security group filter or a WMI filter, and that's not applying. 108 00:07:50,780 --> 00:07:55,160 It's not working as expected, especially with WMI filters. 109 00:07:56,140 --> 00:08:02,620 You know, you've created this query in WMI and you expect for a particular machine to pass the query 110 00:08:02,620 --> 00:08:03,970 or not pass the query. 111 00:08:04,930 --> 00:08:06,310 And that doesn't happen. 112 00:08:06,460 --> 00:08:08,020 So that can be confusing. 113 00:08:08,890 --> 00:08:11,700 And then there is what I call the impatience factor. 114 00:08:12,640 --> 00:08:17,890 Which is essentially that, as I mentioned, in large environments, if you make a change to a GPO, 115 00:08:17,890 --> 00:08:20,080 it can take a while to replicate around. 116 00:08:21,050 --> 00:08:25,970 And if you're expecting all clients to receive the change instantly, it will not happen. 117 00:08:26,850 --> 00:08:32,310 And then there's some known behaviors that are in group policy, such as the one that I brought up several 118 00:08:32,310 --> 00:08:32,880 times. 119 00:08:33,830 --> 00:08:38,180 Which is the synchronous foreground requirement for client side extensions. 120 00:08:39,140 --> 00:08:45,740 Like folder redirection or software installation or GP preferences, drive mappings or it sometimes 121 00:08:45,740 --> 00:08:46,340 can take. 122 00:08:47,300 --> 00:08:50,750 To Boots or to log on for a setting to take effect. 123 00:08:51,760 --> 00:08:53,950 So those are some common problem areas. 124 00:08:54,100 --> 00:08:59,110 And now what I want to do is kind of shift gears and talk about how you can start to troubleshoot this 125 00:08:59,110 --> 00:09:01,660 with the tools that are available in the box.