Viewing GPO processing

  • 711 Views
  • Last Post 12 April 2016
enieto posted this 21 August 2006

Is there anyway to see when a GPO is being applied. Is there a log
somewhere that shows what was applied and what wasn't? Like the log that's
created when one logs into w2k in safe mode. In that log, you can see what
drivers are loaded. I need to see what policy is causing an error when
users log on. The error is about installing an .INF file, access is denied.

Thank you

show

Order By: Standard | Newest | Votes
darren1 posted this 21 August 2006

Assuming its XP, then you can use GPMC to get a GP Results report that tells
you what GPOs and what settings were applied to a given user or computer.
However, I think what you're asking is, is there any log that tells you when
a particular operation gets blocked by a particular GPO setting, and the
answer to that is no. Depending upon what the operation is, you may be able
to see what registry values are getting queried (assuming it's an admin.
Template policy that is causing the problem) by using Sysinternals Regmon to
spy on the registry I/O while you are doing the particular operation
described below. However, outside of that its trial and error to find why
the operation is getting stopped.
Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.

show

enieto posted this 21 August 2006

Darren,
Thanks yes, that's what I want to find out. I did read something in
previous emails about using network trace on the group policy, but I have no
clue on how to do that. Would enabling verbose userenv logging help, you
think?

show

darren1 posted this 21 August 2006

No, verbose userenv logging simply tells you what is happening during each
step of GP processing. It doesn't log what is happening as the user is
executing commands that may run into policy. We actually had a conversation
with the GP team at MS about this particular issue because it is very
difficult to troubleshoot. I don't think a network trace is going to help
since the problem is not during policy application but when the policy has
already been applied and there is some unexpected reaction between an
application and what could be a totally unrelated (usually) shell
restriction. For example, back in the NT 4 days I spent hours trying to
troubleshoot why a particular 16-bit app would throw weird errors whenever
we tried starting it. Through a process of elimination, I figured that it
was choking on the "Hide Drives" policy that hid certain drive letters from
Explorer. This was primarily due to the fact that the particular API the app
was using was relying on the visibility of the drive letter, rather than a
more standard way of accessing that information. So, its really hard to pin
this kind of stuff down unless you get lucky with Regmon or just remove one
policy item at a time until you find the problematic one.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.

show

webster posted this 12 April 2016

https://helgeklein.com/blog/2015/12/how-group-policy-impacts-logon-performance-2-internals/

 

Look at the bottom of Helge’s article.

 

Thanks

 

 

Webster

 

show

kennedyjim posted this 12 April 2016

Tyvm Mr. Webster.  I was looking all over for that…..

 

show

webster posted this 12 April 2016

May sure you read the other three parts. Helge has done a lot of work with timing the effects of all the pieces and parts that make up GPOs.

 

 

Webster

 

show

Techman06 posted this 12 April 2016

Thanks guys.  Those were my thoughts as well.  I appreciate the feedback! 
Gary G. Gray
g3@xxxxxxxxxxxxxxxx
352.585.4505 

show

VolkerE posted this 12 April 2016

Hi,

 

For me it is not a question of logon performance.

The benefits of disabling are marginal I would say. Depending on size and number of GPOs maybe measurable, but mainly marginal.

 

For me the benefits are in management, understanding and designing.

Is the GPO, which includes User and computer settings in an OU where user and computer reside? Or do you need loopback processing? Which has to

be documented and maybe explained to colleagues and so on.

On the other hand, building a separate GPO to put 1-2 settings in it, to fulfill the “only single hive GPO” guide is also….annoying.

 

The truth probably is somewhere in between.

J

 

 

 

 

 

show

webster posted this 12 April 2016

I find it makes troubleshooting GPO issues a little harder. Some admins forget, or don’t know, a side was disabled. They then make changes to the disabled side

and then pull their hair out trying to figure out why the settings are not working. Just my $0.02US worth.

 

 

Webster

 

show

darren posted this 12 April 2016

Agree with Volker 100%. I’ve said for years that disabling one side or the other strictly from a performance perspective provides zero value. That said, the benefits from a

complexity perspective are high, especially if you have multiple “hands in the pie”.

 

Darren

 

show

Techman06 posted this 12 April 2016

From a management perspective I absolutely agree that keeping them separate helps tremendously,  especially when there are multiple fingers involved.   My position was that it didn't impact logon performance when there were User and Computer settings in a GPO and you guys have clarified that for me.  Appreciate the help.
Gary
Gary G. Gray
g3@xxxxxxxxxxxxxxxx

show

Close