< 4 Introduction to Group Policy Management | Home | 6 Manage Your Workstation >
22: Troubleshooting Group Policy with MMC
RSOP.msc – Resultant Set of Policy
https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8378272#content
- Windows Icon > ‘rsop.msc’ (Microsoft Common Console Document)
- Available on all modern Windows computers (server and desktop)
- Mouse over to see path if the link is broken (mine is)
- C:\Windows\System32\rsop.msc
- Will show the UserName and Computer you are logged into.
- Looks very much like editing a Group Policy Object.
- Can expand tabs to see which Polices are enabled/disabled/not defined.
- If a GPO is not working, you can use this to see what has been applied.
23: Troubleshooting Group Policy with Command Prompt
(GPResult /r)
https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8378288#content
Using CMD
Open a command terminal and run gpresult /r
- /r = report
- Provides both Computer and User related data.
C:\Users\Administrator>gpresult /r Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 © 2018 Microsoft Corporation. All rights reserved. Created on 4/28/2020 at 4:38:21 AM RSOP data for TAS\Administrator on WINAD01 : Logging Mode ---------------------------------------------------------- OS Configuration: Primary Domain Controller OS Version: 10.0.17763 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\Administrator Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=WINAD01,OU=Domain Controllers,DC=tas,DC=local Last time Group Policy was applied: 4/28/2020 at 4:35:15 AM Group Policy was applied from: winad01.tas.local Group Policy slow link threshold: 500 kbps Domain Name: TAS Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- Default Domain Controllers Policy Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization WINAD01$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity Denied RODC Password Replication Group System Mandatory Level USER SETTINGS -------------- CN=Administrator,CN=Users,DC=tas,DC=local Last time Group Policy was applied: 4/28/2020 at 4:35:51 AM Group Policy was applied from: winad01.tas.local Group Policy slow link threshold: 500 kbps Domain Name: TAS Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Administrators BUILTIN\Users BUILTIN\Pre-Windows 2000 Compatible Access NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization LOCAL Group Policy Creator Owners Domain Admins Schema Admins Enterprise Admins Authentication authority asserted identity Denied RODC Password Replication Group High Mandatory Level
Points of Interest
- RSOP data for TAS\Administrator on WINAD01 : Logging Mode
- Group Policy settings
- When applying a GPO, you should go to the target computer/user and verify it is being applied
Applied Group Policy Objects ----------------------------- Default Domain Controllers Policy Default Domain Policy
24: Creating Non-Inheriting Organizational Units for GPO Testing / Troubleshooting
https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8378312#content
Non-inheriting OUs will not inherit any GPOs EXCEPT those that are Enforced.
Overview
- Create an OU
- Disable inheritance
Procedure
- Server Manager > Tools > AD Users and Computers
- AD Users and Computers > domain.tld > domain [RtClk] > New OU
- Test no inherit
- Drag the ‘Administrator’ user into the new OU
- AD Users and Computers > domain.tld > domain [RtClk] > New OU
- Server Manager > Tools > Group Policy Management
- Create a GPO to test with
- Group Policy Management > Forest: domain.tld > Domains > domain.tld > Default Domain Policy [RtClk] > Edit…
- User Configuration > Policies > Admin templates > Desktop > Disable Active Desktop (Dbl Clk) Enable
- Create a GPO to test with
- Open CMD
- Update policy instantly
- gpupdate
- View update
- gpresult /r
- “Default Domain Policy”
- gpresult /r
- Update policy instantly
- Create a GPO under (inside) ‘Test no inherit’ called ‘Test GPO’
- Test GPO [RtClk] > Edit
- User Configs > Preferences > Win Settings > Folders [RtClk] > New > Folder
- Path: C:\TestFolder
- User Configs > Preferences > Win Settings > Folders [RtClk] > New > Folder
- Test GPO [RtClk] > Edit
- Verify the settings are there:
- Return to Group Policy Management > … > Test GPO (DblClk) > Setting tab
- Demonstrate Both Policies enabled
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
- Applied Group Policy Objects
- Test GPO
- Default Domain Policy
- Applied Group Policy Objects
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
- Now set the OU as non-inheriting
- GPM > … > Test no inherit [RtClk] > Block Inheritance
- Icon will change to include ‘!’
- Note: Return to AD and you will NOT know it is non-inheriting. This is why it is a good idea to label these as such!
- GPM > … > Test no inherit [RtClk] > Block Inheritance
- Demonstrate Default is no longer active
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
- Applied Group Policy Objects
- Test GPO
- Applied Group Policy Objects
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
- Enforce ‘Default Domain Policy’
- GPM > … > Default Domain Policy [RtClk] > Enforced
- Icon changes with UpRight Arrow
- GPM > … > Default Domain Policy [RtClk] > Enforced
- Demonstrate Default is again active.
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
- Applied Group Policy Objects
- Test GPO
- Default Domain Policy
- Applied Group Policy Objects
- CMD Run ‘gpupdate /force’ then ‘gpresult /r’
The rest of the video is undoing everything we did.
Quiz 2: Group Policy Knowledge Test
https://www.udemy.com/course/active-directory-group-policy-2012/learn/quiz/427388#content