Group Policy

Group Policy Health Check

Last Updated: January 29, 2024
958

Hello All,

Hope this post finds you in good health and spirit.

Group Policy Objects and Gpotool.EXE

Group Policy has two parts: GPC and GPT. GPC is called Group Policy Container and GPT is called Group Policy Template. The first one is stored in Active Directory and later is stored in SYSVOL share.

The GPC is stored at the following path in the Active Directory:

DomainName.Com\System\Policies\{31B2F340-016D-11D2 …..}

The GPT is stored at:

SYSVOL\DomainName.Com\SYSVOL\Policies\{31B2F340-016D-11D2…..}

GPC and GPT must sync with each other. The GPC is replicated by the Active Directory replication and replicated to all the Domain Controllers of that domain. GPT is replicated by the File Replication Service or DFS-R and replicated to all the domain controllers of that domain.

 GPOTool is very useful tool that do the health of your groups policies. This is free utility, and it can be downloaded from MS site. 

Tasks that can be accomplished:

 Verify consistency of a GPO across domain controllers, view properties of GPOs, such as display name, when created and changed, version number, GUID, and 

flags.

A Group Policy may not apply to client computers if both GPC and GPT do not sync. GPC stores its version number in an attribute called VersionNumber which is matched with the Version Number stored in the GPT.INI for GPT. As an example, GPC version number is 23 whereas GPT version number is 24. Both versions are not matching, and this is called Version Mismatch. You can check if all the Group Policy Objects in your organization has synced properly using the Gpotool.exe. The Gpotool.exe returns OK for each Group Policy it checks as shown below:

C:\>Gpotool.exe

Validating DCs…
Available DCs:
DC01.Windowstechno.local
DC02.Windowstechno.local
DC04.Windowstechno.local
Searching for policies…
Found 4 policies
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
Policy {79A24835-93A3-4240-8DEA-F35EF53780DE}
Friendly name: CL-C-HomeDriveMapping-LS
Error: Cannot access \DC02.Windowstechno.local\sysvol\Windowstechno.local\polic
ies{79A24835-93A3-4240-8DEA-F35EF53780DE}, error 2
Error: Cannot access \DC04.Windowstechno.local\sysvol\Windowstechno.local\polic
ies{79A24835-93A3-4240-8DEA-F35EF53780DE}, error 2
Details:
DC: DC01.Windowstechno.local
Friendly name: CL-C-HomeDriveMapping-LS
Created: 4/14/2019 3:58:05 PM
Changed: 4/14/2019 4:11:07 PM
DS version: 10(user) 0(machine)
Sysvol version: 10(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A
6E3AC170006}]Machine extensions: not found
Functionality version: 2

DC: DC02.Windowstechno.local
Friendly name: CL-C-HomeDriveMapping-LS
Created: 4/14/2019 3:58:05 PM
Changed: 4/19/2019 4:23:38 PM
DS version: 10(user) 0(machine)
Sysvol version: not found
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A
6E3AC170006}]Machine extensions: not found
Functionality version: 2

DC: DC04.Windowstechno.local
Friendly name: CL-C-HomeDriveMapping-LS
Created: 4/14/2019 3:58:05 PM
Changed: 4/19/2019 4:26:13 PM
DS version: 10(user) 0(machine)
Sysvol version: not found
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A
6E3AC170006}]Machine extensions: not found
Functionality version: 2
————————————————————
Policy {A8F52BB2-BA8E-4327-B551-9AB1606559EE}
Friendly name: ST_Proxy_Setting_FD
Policy OK
Errors found
C:\Users\administrator.WINDOWSTECHNO>

So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo
Tags
Last Updated: January 29, 2024
958
Photo of Vipan Kumar

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button