Troubleshooting Group Policy can be a pain. I agree. When I try out new awesome Group Policy Preferences, or I experiment with the GP cmdlets, I am sometimes stumped. Here’s what we do when we are troubleshooting our own test environments on the Group Policy team:
I have a problem. Did the GPO apply? (Check the event log)
Moving down the left side of the tree : If yes, did the setting apply? (Check the RSoP)
If yes, follow the tree and check the suggestions in the blue box: Do a GPUpdate to make sure the policy is refreshed. Check the inheritance to make sure the setting isn’t getting over-written. Make sure your Active Directory and Sysvol versions are the same to make sure that file replication is working correctly. Is your processing set to be Asynchronous? If so, that extension may not be processing at every GP refresh…etc etc
You can take a similar trip down the right side of the tree:
I have a problem. Did the GPO apply? (check the event log)
If no, was the GPO denied? (found from the event log)
Yes it was! (move to the right) Why was the GPO Denied? Could it because of some security filtering that you didn’t see? Was the “computer settings” side of the GPO disabled? Is there a WMI filter that evaluated to false?
Or…not, it was not denied, but it still did not apply. (move to the left-most blue box) Could it just need to be refreshed? Did the GPO fall outside of the scope of management? Is there a network connectivity issue and the DC is not communicating properly?
This is the starting point we on the GP team go through when we are troubleshooting our test environments. Let me know what some of your standard checks are in your environment in the comments.
Hope this helps,
LiliaG, aka @superlilia