Group Policy Health check on specific domain controller.

Hello All,

Hope this post finds you in good health and spirit.

How we can do the Group Policy Health check on Specific domain controller.

If you are working in large AD environment then gpo related issues continues to come like syncing issues, version mismatch, gpt.ini missing and access deny errors.

Recently we encountered version mismatch issue with one of the critical domain policies. In my AD environments there are around 900+ domain controllers and that are in different countries. by the way we are also using the AGPM tool to control the gpo versions. if incase anything goes wrong, we recover it from AGPM as well RMAD tool.

But only fews gpo are being managed in AGPM tool that are frequently changes. can do the GPO health by GPOTool.exe. we should know about the GPO GUID as highlighted in below image.

Copy the unique ID of gpo and open the command prompt windows {CMD} on any of domain controllers.

Now execute the below command to get the gpo health check on specific domain controller.

We are doing the Health check on DC02 domain controller for Policy {79A24835-93A3-4240-8DEA-F35EF53780DE}.

You can see the version mismatch on this domain controller. The gpo CL-C-HomeDriveMapping-LS is not syncing to DC02 domain controller . it could be due to replication issues.

C:>gpotool /gpo:79A24835-93A3-4240-8DEA-F35EF53780DE
Validating DCs…
Available DCs:
DC02.Windowstechno.local
Searching for policies…
Found 1 policies
Policy {79A24835-93A3-4240-8DEA-F35EF53780DE}
Friendly name: CL-C-HomeDriveMapping-LS
Error: Cannot access \DC02.Windowstechno.local\sysvol\Windowstechno.local\polic
ies{79A24835-93A3-4240-8DEA-F35EF53780DE}, error 2
Error: Cannot access \DC04.Windowstechno.local\sysvol\Windowstechno.local\polic
ies{79A24835-93A3-4240-8DEA-F35EF53780DE}, error 2
Details:
DC: DC02.Windowstechno.local
Friendly name: CL-C-HomeDriveMapping-LS
Created: 4/14/2019 3:58:05 PM
Changed: 4/19/2019 4:23:38 PM
DS version: 10(user) 0(machine)
Sysvol version: not found
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A
6E3AC170006}]Machine extensions: not found
Functionality version: 2
————————————————————
Errors found
C:>

AD health check also give the insight on GPO sync issue and version mismatch as per below images-

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day!!!

Recommended contents

• GP Result
• What is Group Policy
• Group Policy Update
• Design Considerations for Group-Policy
• What is the Refresh Interval for Group Policy
• Group Policy templates and containers
• Group Policy objects
• Group Policy health check
• Group Policy health check on specific domain controller
• Group Policy verification tool gpotool exe
• how to find the group policy guid
• Group Policy understanding group policy preferences
• Group Policy management process

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.