This document provides an overview of how to troubleshoot group policy in Windows 10. It discusses options for deploying configuration settings with group policies, including applying them manually or using Active Directory. It also covers how group policies are processed, including the processing order and factors that affect precedence. Additionally, it discusses tools for troubleshooting group policy such as RSOP and event logs. It provides guidance on resolving common group policy application issues like ensuring the client is connected and authenticated and the policy is assigned properly.
This topic should be a review for most students. Cover this content quickly, unless the students are unfamiliar with local GPOs.
Use this topic to ensure that students understand the basic process for GPO application, and that GPOs at the organizational unit (OU) level override domain-level GPOs.
Additionally, be sure to mention security filtering, Windows Management Instrumentation (WMI) filtering, and slow-link processing as exceptions to the default processing order.
Explain that there are exceptions to the typical precedence in Group Policy processing, and then describe when you would use each of the options that the slide lists:
Link Order. Use to ensure that a specific GPO that is linked to an OU has precedence on that OU.
Enforced. Use to apply standardized settings for an OU or department.
Block Inheritance. Use to allow a department to operate independently of the GPOs applied in the rest of the OU.
Link Enabled. Use to disable processing of a GPO during troubleshooting.
Explain security and WMI filtering, and the effect of both on Group Policy processing. Mention that with WMI filtering, the client computer evaluates the filter to determine whether to apply Group Policy. However, with security filtering, the domain controller decides whether to apply Group Policy. Mention that, therefore, the result is that the Group Policy does not apply to all users or computers in the same part of Active Directory Domain Services (AD DS).
Explain to students that you do not use loopback processing for most computers. Rather, you use it only for specific scenarios when you need to modify the normal user configuration. Discuss with students why this is useful for settings such as classrooms or conference room.
The key concept for students to understand from this topic is that the asynchronous processing that Windows 10 uses might result in the Windows operating system delaying the application of GPO settings, because users might need to reboot the computer before the settings take effect.
Provide an overview of the lesson.
Use this slide to summarize the details regarding when GPO settings take effect. This should answer questions such as, “When do I change a policy setting,” and “When will that setting actually apply to a user or computer?“
Do not provide too much detail about the replication technologies themselves, but rather, point out that both the Group Policy container and Group Policy template must replicate to the domain controller from which a client obtains its policies. Point out that the Group Policy container and Group Policy template use different replication technologies that are not always synchronized.
Other points to make:
We recommend that organizations implement the Always Wait For Network At Startup And Logon policy setting. Otherwise, a change to a policy setting might take several signin/signout or restart cycles before it takes effect, and it is not possible to predict how long this will take. To manage the application of new policy settings effectively, enable Always Wait For Network At Startup And Logon. Make sure that students understand that this does not slow down the startup or signin process significantly. Users will not complain that it is noticeably slower. Also, make sure that students understand that when a system is not connected to the network, it ignores this setting, so this setting is not applied to disconnected laptop users.
Users cannot change most policy settings, particularly managed policy settings. However, if users are administrators of their machines, it is possible for them to change some settings. Those changes will never be reverted to match the settings that the GPOs specify, because most client-side extensions will reapply policy settings only when a GPO has changed. The exceptions to this rule are security settings, which reapply every 16 hours, regardless of whether the GPO has changed. If your organization is concerned about enforcing its policy settings, and if it is possible for users to change those settings, then you should configure the client-side extensions to reapply policy settings even if the GPO has not changed. You can use Group Policy to configure the policy processing behavior of each client-side extension.
This topic lists some common ways that you can resolve GPO application issues.
If you have experience with resolving GPO application issues, include additional troubleshooting tips based on your experience. Students also might have methods that they wish to share.
Point out to students that they used the gpupdate /force command in the previous practice demonstration.
Consider demonstrating the three major logs in which you can find Group Policy events.
Point out that RSoP reports also display Group Policy events, particularly in the Advanced view.
Mention that the Group Policy Operational log is a great way to learn exactly how Group Policy applies to Windows operating systems.
Use this topic as an opportunity to reinforce the lesson’s contents before beginning the lab.
Exercise 1: Resolving Group Policy Application (1)
In this exercise, you will resolve the reported GPO application problem that tier 1 help-desk staff could not resolve.
Note: For the complete exercise scenario, please refer to the student guide.