Tuesday, May 30, 2006

Security Policy Problem

I came across an interesting problem today with a machine not processing the security element of Group Policy (Secedit.sdb).

The error was as follows:

"Security policies are propagated with warning. 0x4b8 : An extended error has occurred. Please look for more details in Troubleshooting section in Security Help."

Using esentutl /g c:\Windows\Security\database\secedit.sdb displayed that the database was corrupt.

Using esentutl /p c:\Windows\Security\database\secedit.sdb solved the problem and the security element was re-applied to the machine.

Investigating .pol files

Using the resource kit tool regview.exe you can display the registry changes that are contained within any group policy .pol file.

e.g regview C:\Windows\system32\GroupPolicy\User\registry.pol

Will display any registry values contained within the user element of local policy for the machine. This can be a quick an easy way to investigate and compare local policies on different machines.

Thursday, May 25, 2006

Exploring GPMC Scripts

It is worth exploring the scripts provided with the GPMC to save some time documenting and automating the backup of GPO's. Open a command prompt in the C:\Program Files\GPMC\Scripts folder and explore in the lab.

A great example is producing a report to document all of your GPO's. This command will generate an XML and HTML report of all of you GPO's. Very useful for documentation or passing on to people that do not have access to GPMC.

cscript getreportsforAllgpos.wsf c:\Reports

How about this script to schedule a regular backup of GPO's

cscript BackupAllGPOs.wsf c:\Backup


Wednesday, May 24, 2006

Using log files to Debug Group Policy

If your having difficulty getting to the bottom of Group Policy problems having used GPOTool to check consistency and RSOP to check processing, logging is the next step. Enabling this logging tracks all changes and settings applied to the machine as it starts and the user as they log on.

The log file is located in the %windir%\debug\UserMode folder called Userenv.log

Key: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon
Name: UserEnvDebugLevel

UserEnvDebugLevel = Hex 10002 enables logging
UserEnvDebugLevel = Hex 30002 enables Verbose logging

I recommend that you remove any existing log file and then use gpupdate /force to re-apply group policy or restart the machine for a complete Machine Start and User logon debug.
Carefully review the log for problems and errors. If you are having difficult interpreting the log file consider reading this article.



Saturday, May 20, 2006

GPOTool to Check GPO Consistency

One of the most common group policy problems which produces hidden policies or inconsistent results is when SYSVOL may not be replicating correctly. Using the resource kit tool GPOTool is the best way to ensure that replication of Group Policy is occurring

The utility will report all “Policies OK” if all Domain Controllers SYSVOLS are up to date and current. It is worth considering scheduling this process to occur and report early in the morning as a standard maintenance check.

SYSVOL replication or convergence can take some time in larger organisations, however if the problem still remains after more than 24hrs you need to start investigating the FRS service which is responsible for replicating SYSVOL.

Start by using the sonar utility from the resource kit to see if it exposes any errors with FRS. This tool interrogates the FRS service on all of your Domain Controllers and reports back status and errors in a GUI tool. Then start to investigate the error messages you find.


Troubleshooting Offline files

The local Offline files database does not work well when server folders are moved and this problem is common. The best approach is to re-initialize the offline files on the clients with problems. This functionality is build in but hidden. On the client hold down "control" and "Shift" at the same time before clicking the delete files button in the Offline files tab. This will remove all records of shares and files from the local machine in the cache.


Great ADM file Resource

A great guide for creating ADM file's for registry based policy changes. Details all of the format required and has some examples. Useful resource.