Everyone has their own troubleshooting quick checks; here are some that you may know well, and others you haven’t tried yet.
Some policies applied only after the second logon, not after the first logon. What’s the deal?
Anything that is set to run synchronously won’t run until after the second logon. Example of this include scripts that are set to run synchronously and Software Installation policy. Note that Software Installation policy can run asynchronously also, but behaves differently in that mode.
For more on this, check out: http://grouppolicy.editme.com/ClientSideProcessing, the “Forced into Foreground” section.
Linked / Enabled
I set up a perfect GPO, why do I not see any of the expected results?
Check to make sure that it is…
Notice how SalesGPO is linked to the domain; you can tell because it has that icon next to it. Even the most elegant GPO is useless until it’s linked to something.
If the Computer side of the GPO is disabled, and your setting is relevant to the Local Machine, the setting will not take effect. The drop down pictured here is where that can go wrong, so make sure to check the status drop down of the details tab.
c) Applicable (passes through the right filters and permissions).
Check the scope tab to make sure the GPO isn’t being filtered out because of permissions or WMI Filters.
Yes, I know it may seem obvious, but sometimes it’s that next gpupdate –force that can make the difference. Why does the second gpupdate work when the first one doesn’t?It’s possible that your link was too slow the first time you tried a gpupdate; several CSE’s (for example: folder redirection, software installation, and scripts) do not process over a slow link.
For the complete list, go here: http://grouppolicy.editme.com/SlowLinks.
Preferences – Targeting
GP Preferences has a really clean UI experience to set up targeting for a Preference item, why is my Preference item not showing up?
Make sure the targeting makes sense; check the and’s and or’s to make sure you’re not creating an impossible requirement. Can one machine be in 2 IP ranges at the same time? Did you hard code a user name when you meant to use a variable?
Helpful Tool: GPLogView (download it!)
GPLogview is a downloadable tool that you can use to export GP event data from the system and operational log and output into txt, HTML, or an XML file. Note that it works with Vista and above, not XP or Windows Server 2003. You can use it to filter the event log by Activity ID (all the events that correlate to one specific GPupdate) with the –a flag.
You can also set it up to run in monitor mode and watch events of a GPUpdate in real time with the –m flag. The command “gplogview.exe –m” opens the channel to read from the event log, then, in a separate command window, do a gpupdate and watch the gplogview window scroll through the events as they happen.
Or (this is my personal favorite) pipe out the event log into a color-coded HTML file with –h (for HTML) –o (output) <filename>. Each color corresponds to an Activity ID, so it’s easy to visually pick out what you are looking for.
Hope this brief refresher helps save you some time!
Lilia Gutnik, Program Manager