Monitor GPO Health
Troubleshooting problems with Group Policy is a necessary art. Problems will occur, and you will need to resolve them. However, you may be able to head off Group Policy issues by monitoring GPO health. If you find problems before they are reported via user complaints, or before the lack of security enforcement results in a successful attack, all the better. To monitor GPO health, you should monitor each of these: DNS Network connectivity DC health Replication GPO-specific issues
The first four items are discussed in earlier sections. You can monitor many GPO-specific issues by using the GPMonitor.exe tool and by using the reporting features of GPMC. GPMonitor.exe is a resource kit tool that creates reports when policy settings are refreshed. Policy stability and replication can be checked. To get started, run GPMonitor.exe on each DC to extract the .msi file, the help file, and the gpmonitor.adm template. The gpmon service monitors refreshes and updates info to a centralized share; the share location is set through the gpmonitor.adm template. Run the msi file on every domain controller (you can distribute the files through Group Policy) to install the gpmon service and start it. The service does not listen on the network. To add the new gpmonitor.adm template and configure gpmonitor, follow these steps:
1. | Open the domain controller policy in the GPO editor. | 2. | Right-click the administrative templates folder in the Computer configuration node and select Add/remove templates. | 3. | Click the Add button, browse to the gpmonitor.adm file, and click Open. |
To configure the policy do the following:
1. | Select the Group Policy Monitor node of administrative templates. | 2. | Open the Group Policy Monitor item and select Enabled. | 3. | Enter a UNC path for the share as shown in Figure 9-36 on which the results will be collected, and click OK.
|
The reports and the information they provide are listed in Table 9-8. More information on GPMC scripts can be found in the %Programfiles% \gpmc\scripts\gpmc.chm file on a computer where GPMC has been installed.
Table 9-8. Monitor GPO Health via GPMC Reports Report Title | Report Script | GPO Health Function |
|---|
List all GPOs in a Domain | ListAllGPOs.wsf | Are all those GPOs that are supposed to exist there? Are rogue GPOs evident? | List Disabled GPOs | FindDisabledGOPs.wsf | Why are they disabled? Are they supposed to be? Are some enabled that should be disabled? Check disabled GPOs against a maintenance list. | List GPO Information | DumpGPOInfo.wsf | A list of information about the GPO is produced. | List GPOs at a Backup Location | QueryBackupLocation. wsf | Backup locations are checked to see if all GPOs are backed up and if the backups are where they are supposed to be. | List GPOs by Policy Extension | FindGPOsByPolicy Extension.wsf | Specific policy extensions may be the purview of specific people or may be critical to some operations. Being able to list the location of these GPOs is a quick check on their availability as it should be. | List GPOs by Security Group | FindGPOsBySecurity Group.wsf | A quick check on which GPOs belong to which security groups. Policy application permissions are checked for correctness. | List GPOs Orphaned in SYSVOL | FindOrphanGPOsin SYSVOL.wsf | Looks for GPOs that have files but for which Active Directory records no longer exist. | List GPOs with Duplicate Names | FindDuplicateNamesd GPOs.wsf | Lists any GPOs that do not have unique names. | List GPOs Without Security Filtering | FindGPOsWithNo SecurityFiltering.wsf | Lists GPOs that are not applied to a security group. | List SOM Information | DumpSOMINfo.wsf | What SOMs existsites, domains, OUs? Is one not accessible? | List SOMs with Links to GPOs in External Domains | FindSOMsWith ExternalGPOLinks.wsf | If there are external links to GPOs in other domains, this can be a problem and should be avoided. | List Unlinked GPOs in a Domain | FindUnlinkedGPOs. wsf | It is possible to create a GPO without linking it to any container; likewise, it is possible to remove all links from a GPO. Should the GPOs found be without links, or is this an error? | Print the SOM Policy | ListSOMPOlicyTree.wsf | |
The Group Policy Monitor tool, GPMonitor.exe, can be used to collect information during every Group Policy refresh and send it to a central location. It consists of a gpmonitor service that runs on the client and collects the data, and the viewer that can be used to look at the data. This tool is part of the Microsoft Windows Server 2003 Deployment Resource Kit (Microsoft Press, 2003). |