Troubleshooting

An important part of troubleshooting Group Policy problems is to consider dependencies between components. For example, Software Installation relies on Group Policy, and Group Policy relies on Active Directory Active Directory relies on proper configuration of network services. When trying to fix problems that appear in one component, it is generally helpful to check whether components, services, and resources on which the component relies are working correctly. Event logs are useful for tracking problems that are caused by this type of hierarchical dependency.

Basic tests and information gathering.

I need to know what policy settings are in effect.

Tools that you can use to see what policy is in effect include Resultant Set of Policy and gpresult

You can also get a report on policy from Help and Support Center by following these steps:

1.

Click the Start button, and then click Help and Support.

2.

Click Support.

3.

Under See Also, click Advanced System Information.

4.

Under Advanced System Information, click View Group Policy settings applied.

The report includes User name and domain; Computer name and domain; When User Settings and Computer Settings were last applied; Folder redirection details; Logon, logoff, startup and shutdown scripts; Installed software; and Administrative Templates. The report also gives information about Security Settings, and connection and proxy settings for IE Maintenance.

I want to refresh policy.

Use gpupdate, which causes policy to be refreshed immediately and permits certain options to be specified on the command line. Gpupdate replaces and improves on the Windows 2000 command secedit /refreshpolicy. For more information, see To refresh Group Policy immediately 

Some policy items, such as computer-assigned software, require a reboot to take effect, however. User-assigned software requires the user to log on and log off.

I want to check basic network connectivity.

Try to ping a domain controller.

Make sure that DNS is working properly.

For Network Connection issues, see About Network Connections, To configure a connection, and Local area connections overview

For possible TCP/IP issues, see To test a TCP/IP configuration by using the ping command, To test TCP/IP connections by using the ping and net view commands, and To trace a path by using the tracert command

I want to enable logging.

You can set a registry key that causes Group Policy diagnostic logging to be written to a file named Userenv.log on the client computer. See the section "Monitoring Group Policy with Log Files" in Troubleshooting Group Policy at the Microsoft Web site.

You can also set a registry key that enables verbose logging to the event log so that you can see it with Event Viewer. For more information, see Event Viewer overview and "Verbose Logging to Event Log" in Troubleshooting Group Policy at the Microsoft Web site.

For information about editing the registry, see Registry Editor

Are you having trouble using the Group Policy snap-in?

I need help with the individual Group Policy settings that are included in Administrative Templates.This information is now part of the Windows online help: ADM filePolicy settingsSystem.admOpen Help for System settings Wmplayer.admOpen Help for Windows Media Player settingsInetres.admOpen Help for Internet Explorer settingsConf.admOpen Help for NetMeeting settings

I cannot open a Group Policy object in the console even though I have Read access to it.

Cause:  An administrator must have not just Read access but Full Control of the Group Policy object to open it in the Group Policy console.

Solution:  Be a member of a security group with Full Control on the Group Policy object. For example, a domain administrator can manage Active Directory-based Group Policy. An administrator on a computer can edit the local Group Policy object on that computer.

When I try to edit a Group Policy object, I get the "Failed to open the Group Policy object" error.

Cause:  This usually is due to a networking problem, specifically, a problem with the domain name system (DNS) configuration.

Solution:  Make sure that DNS is working properly. For more information, see DNS

When I try to edit a Group Policy object, I get the "Missing Active Directory Container" error.

Cause:  This is caused by Group Policy attempting to link a Group Policy object to an organizational unit that it cannot find. The organizational unit might be deleted, or it might be created on another domain controller but not replicated to the domain controller that you are using.

Solution:  Limit the number of administrators who can make structural changes to Active Directory, or who can edit a Group Policy object, at any one time. Allow changes to replicate before making changes that affect the same organizational unit or Group Policy object.

When I try to edit a Group Policy object, I get the "Snap-in failed to initialize" error.

Cause:  This may be happen if Group Policy cannot find framedyn.dll.

Solution:  If you use installation scripts, make sure that your scripts place the %windir%\system32\wbem directory in the system path. By default, %windir%\system32\wbem is in the system path already; therefore, you are not likely to encounter this issue if you do not use installation scripts.

Are Group Policy settings not taking effect?

Group Policy is not being applied to users and computers in a security group that contains those users and computers, even though a Group Policy object is linked to an organizational unit that contains that security group.

Cause:  This is correct behavior. Group Policy affects only the users and computers that are contained in sites, domains, and organizational units. Group Policy objects are not applied to security groups.

Solution:  Link Group Policy objects to sites, domains, and organizational units only. Remember that the location of a security group in Active Directory is unrelated to whether Group Policy applies to the users and computers in that security group.

For more information, see To filter the scope of Group Policy according to security group membership

Group Policy is not affecting users and computers in a site, domain, or organizational unit.

Cause:  Group Policy settings can be prevented, intentionally or inadvertently, from affecting users and computers in several ways. A Group Policy object can be disabled so that it does not affect users, computers, or both. It also must be linked directly to an organizational unit that contains the users and computers, or it must be linked to a parent domain or organizational unit, so that the Group Policy settings apply through inheritance.

When multiple Group Policy objects apply, they are processed in this order: local, site, domain, organizational unit. By default, settings that are applied later have precedence. In addition, Group Policy can be blocked at the level of any organizational unit, or it can be enforced through a setting of No Override that is applied to a particular Group Policy object link.

Finally, the user or computer must belong to one or more security groups that have the appropriate permissions set.

Solution:  Make sure that the intended policy is not being blocked.

Make sure that no overriding policy that is set at a higher level of Active Directory has been set to No Override.

If Block and No Override are both used, remember that No Override takes precedence. For more information, see Policy inheritance

Verify that the user or computer is not a member of any security group for which the Apply Group Policy access control entry (ACE) is set to Deny.

Verify that the user or computer is a member of at least one security group for which the Apply Group Policy access control entry (ACE) is set to Allow.

Verify that the user or computer is a member of at least one security group for which the Read access control entry (ACE) is set to Allow.

For more information, see To filter the scope of Group Policy according to security group membership

Group Policy is not affecting users and computers in an Active Directory container.

Cause:  Group Policy objects cannot be linked to Active Directory containers other than sites, domains, and organizational units.

Solution:  Link a Group Policy object to an organizational unit that is a parent to the Active Directory container. Then, by default, those settings are applied to the users and computers in the container through inheritance.

For more information, see To filter the scope of Group Policy according to security group membership

Group Policy is not taking effect on the local computer.

Cause:  Local policies are the weakest. Any Active Directory-based policy can overwrite them.

Solution:  Check to see what Group Policy objects are being applied through Active Directory and if those Group Policy objects have settings that are in conflict with the local settings.

Are you having trouble with the Software Installation snap-in?

Software that you assigned to a computer is not available on the computer.

Cause:  The client computer has not been restarted.

Solution:   Restart the client computer.

Software that you assigned or published to a user is not available on the user's computer.

Cause:  The user has not logged off and then logged on.

Solution:   Have the user log off and then log on.

Published applications do not appear in Add or Remove Programs in Control Panel.

Cause:  Several causes are possible:

Group Policy is not applied.

Active Directory cannot be accessed.

Users do not have any published applications in the Group Policy objects that apply to them.

The client is running Terminal Server.

Solution:  Investigate each possibility in turn. Note that Software Installation is not supported for Terminal Server clients.

Document activation of a published application does not cause the application to install.

Cause:  The administrator did not set autoinstall.

Solution:   See To set the autoinstall option for an application

The user receives an error message such as "The feature you are trying to install cannot be found in the source directory."

Cause:  This could be caused by network or permissions problems.

Solution:  Make sure that the network is working correctly. Also, see To set permissions for Software Installation

The user receives an error message such as "This product is not installed" or "Feature ID not registered."

Cause:  This could be caused by a user with a roaming user profile logging on to two computers simultaneously, which is an unsupported use of roaming user profiles.

Solution:  Have the user log off one computer before logging on to another. That way, the application shortcuts will be updated and valid on the second computer, and they will not give error messages.

After removal of an application, the shortcuts for the application continue to appear on the user's desktop.

Cause:  The user has created shortcuts, and Windows Installer does not recognize them.

Solution:  The user must remove the shortcuts manually.

A user receives an error message such as "Another installation is already in progress."

Cause:  An uninstallation might be taking place in the background, with no user interface presented to the user, or perhaps the user has inadvertently triggered two installations simultaneously, which is not supported.

Solution:  The user can try again later.

The user opens an already installed application, and Windows Installer starts.

Cause:  An application might be undergoing automatic repair, or a user-required feature is being added.

Solution:  No action is required.

A user receives error messages such as "Active Directory will not allow the package to be deployed" or "Cannot prepare package for deployment."

Cause:  The package might be corrupted, or there might be a networking problem.

Solution:  Use an uncorrupted package. Investigate the possibility of network problems and take appropriate action.

When I click one of the Software Installation icons in the Group Policy console tree, I get the error message "Snap-in failed to initialize."

Cause:  This may be happen if Software Installation cannot find framedyn.dll.

Solution:  If you use installation scripts, make sure that your scripts place the %windir%\system32\wbem directory in the system path. By default, %windir%\system32\wbem is in the system path already; therefore, you are not likely to encounter this issue if you do not use installation scripts.

Troubleshooting resources on the Internet

For help with troubleshooting known problems, do a keyword search of the Microsoft Knowledge Base.

See the white paper Troubleshooting Group Policy, which also covers Software Installation troubleshooting issues.

The Microsoft Windows Resource Kits offers articles such as Extending and Troubleshooting Group Policy.

For other sources of information, see Resources



© 2018 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies