none
Troubleshooting tools for AD and GPO client side

    Question

  • Hello,

    I'm looking for recommendations for troubleshooting tools I can use to help me resolve Active Directory and GPO related issues on a client computer. I have some workstations that have a variety of problems (sporadic, they resolve themselves) with finding the AD server, GPO files, or processing GPO's. I've done health checks on the AD servers and have not found any problems. Servers in the data-center seem to be fine also, but user workstations have problems. As I'm gathering all this info to find the problem, it would be very helpful to be able to see more detailed information from the client's workstation as to why these problems are happening.

    Please recommend AD/GPO troubleshooting tools I can use on a client's workstation to troubleshoot these issues.

    Thursday, July 16, 2015 7:20 PM

Answers

  • Hi Paul,

    >>I have some workstations that have a variety of problems (sporadic, they resolve themselves) with finding the AD server, GPO files, or processing GPO's. I've done health checks on the AD servers and have not found any problems.

    How is it going? Based on the description, first of all, we can try to ping the fully qualified domain name (FQDN) of domain controllers on clients to see if they can find the domain controller properly. On domain controllers, we can use dcdiag.exe to check the health of domain controller and utilize repadmin.exe to check the replication health between domain controllers.

    Dcdiag

    https://technet.microsoft.com/en-us/library/cc731968.aspx

    Repadmin

    https://technet.microsoft.com/en-us/library/cc770963.aspx

    For troubleshooting the application of group policy, we can simply run command gpresult/h report.html to collect group policy result report to check how the settings are applied to the users or computers. Note, to collect computer part settings, we need to run the command with admin privileges. Besides, as others suggested, we can utilize event logs when troubleshooting AD and GP issues.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, July 28, 2015 2:35 AM
    Moderator
  • Hi,

    You can use the below command line tools

    GPUPDATE - To update the GPO settings in clinet(could be used with /force key)

    RSOP.MSC - Resultant set of policy

    GPresult /V >gp.txt GP result in verbose mode (/Z  - Extended verbose,  / h - HTMl export.)

    Please refer to the below link for more information.

    https://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, July 28, 2015 9:27 AM

All replies

  • Hi

     You could check this 10 common problems causing gpo to not apply article for a start point;

    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

    Thursday, July 16, 2015 7:25 PM
  • You can use Event Forwarding to get errors and warnings from Client computers.

    You will collect all specified event in Server which you have configured as an Event collector.

    Thursday, July 16, 2015 7:25 PM
  • Hi Paul,

    >>I have some workstations that have a variety of problems (sporadic, they resolve themselves) with finding the AD server, GPO files, or processing GPO's. I've done health checks on the AD servers and have not found any problems.

    How is it going? Based on the description, first of all, we can try to ping the fully qualified domain name (FQDN) of domain controllers on clients to see if they can find the domain controller properly. On domain controllers, we can use dcdiag.exe to check the health of domain controller and utilize repadmin.exe to check the replication health between domain controllers.

    Dcdiag

    https://technet.microsoft.com/en-us/library/cc731968.aspx

    Repadmin

    https://technet.microsoft.com/en-us/library/cc770963.aspx

    For troubleshooting the application of group policy, we can simply run command gpresult/h report.html to collect group policy result report to check how the settings are applied to the users or computers. Note, to collect computer part settings, we need to run the command with admin privileges. Besides, as others suggested, we can utilize event logs when troubleshooting AD and GP issues.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, July 28, 2015 2:35 AM
    Moderator
  • Hi,

    You can use the below command line tools

    GPUPDATE - To update the GPO settings in clinet(could be used with /force key)

    RSOP.MSC - Resultant set of policy

    GPresult /V >gp.txt GP result in verbose mode (/Z  - Extended verbose,  / h - HTMl export.)

    Please refer to the below link for more information.

    https://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, July 28, 2015 9:27 AM