Quick Guide to Troubleshooting Group Policy Security Settings
As Active Directory, Group Policy, security, and desktop administrators, we all know that the best way to secure a Windows environment is to use Group Policy. There are hundreds, if not thousands of security settings in a single Group Policy Object (GPO). Using a GPO is efficient, powerful, and automatic. However, there are times when you scratch your head wondering if the GPO settings and even the GPO itself are applied correctly. In this article, I will give you some tips on tools, commands, and other tips you can use to try and ensure that your GPOs and their security settings are applying correctly. Of course, if you want more info on Group Policy or Troubleshooting Group Policy, you can go to the ultimate reference, the MSPress Group Policy Resource Kit, written by little ole' me!
Which Settings are "Security Settings"?
With over 5000 settings in a single GPO, I want to be 100% clear on which settings I am referring to in this article. There is a special section in a GPO that is dedicated to security. Yes, I know there are other areas that also deal with security, but here, I am only referring to this section.
In order to find this section, you will open up a GPO, preferably through the GPMC, as a local GPO does not have the same suite of settings as a GPO from Active Directory. Once you have the GPO in the editor, you will expand the Computer Configuration\Policies\Windows Settings\Security Settings node, as shown in Figure 1.
Figure 1: Security Settings node expanded in the Group Policy Management Editor
Here you will find a bunch of settings, ranging from Registry hacks, user rights, permissions for files/folders/Registry, Wireless security, group membership, etc. The majority of these settings are controlled by the security client side extension, so if one fails, they all might fail. On the flip side, if one of them is applied, they should all apply effortlessly (in theory!).
From within the GPMC (on any machine where you have administrative rights), you will be able to run the Group Policy Results tool. The tool is built-in to the GPMC, so there is nothing special you need to do. From the GPMC you will be able to determine what the settings are on the target computer with regard to these security settings you deployed in your GPO.
To find the Group Policy Results node in the GPMC, you will look down at the bottom of the GPMC console. There you will find the Group Policy Results node, as shown in Figure 2.
Figure 2: Group Policy Results node is at the bottom of the GPMC node list
With this tool, you will select the "user account" and "computer account" that you want the results for. This is initiated by right-clicking on the Group Policy Results node and selecting the wizard. When completed with the wizard, you will then see your results listed under the Group Policy Results node, as shown in Figure 3.
Figure 3: Group Policy Results illustrate the resulting GPOs and settings for a user and computer combination
From this interface you can check many aspects of the GPOs that have applied, as well as the settings. Within this interface you will want to check the right pane for many different results. Check the Group Policy Objects to make sure your GPO applied and was not denied for some reason. Second, you will check the Component Status for any errors related to the Security client side extension. Finally, check the Settings tab for the Security Settings section and your settings that you applied, as shown in Figure 4.
Figure 4: Settings tab for your Group Policy Results will indicate which settings applied to the target computer
You can also run RSOP.msc on the target computer, which will give you the same information as check #1, except for the interface is a totally different format. Figure 5 illustrates that the RSOP.msc command on a target computer shows the GPO settings in the same format as the original GPO that was used to configure it in the editor. This is a beneficial view for some, as there is no need to worry about the path of the security setting, you can simply go directly to the node in the GPO and see the results.
Figure 5: RSOP.msc results on target computer
To see more information about the GPOs and the client side extensions, you will need to dive a bit deeper into this interface. If you right-click on the Computer Configuration node, you can select the Properties menu option. From here, you will see the GPOs that applied, as well as be able to toggle to see the following nodes, as shown in Figure 6:
- GPOs and filtering status
- Scope of management of the GPO
- Revision information about the GPO
Figure 6: RSOP Properties option displays more details about the applied GPOs
This information can help you discover why the GPO and related settings might not have applied.
To see the client side information details, you will select the Error Information tab, as shown in Figure 7.
Figure 7: Error Information tab within the RSOP.msc properties option
Here, you can see why a specific CSE might not have applied, which gives you information about why the settings might not be in the RSOP.msc interface.
If you just want to target the security settings, instead of all of the settings that are deployed from the GPO, you can run secpol.msc on the target computer. This will just show the subset of the GPO, in the same format as the original GPO editor. You can see this in Figure 8.
Figure 8: Secpol.msc shows only the security settings on a target computer
There are two issues that I want to mention about this tool. First, this tool will show MORE than just the security settings that were deployed from a GPO. This has great power, as you can see ALL of the security settings on the computer, not just those that were deployed from a GPO. You can immediately tell which settings where from a GPO in Active Directory compared to those that were applied locally by the icon on the setting. If you refer to Figure 8, you can see that the Account lockout threshold has a different icon compared to the other two settings. The icon for this setting illustrates that the setting is from a GPO from Active Directory, where the other two were configured locally.
The second point is that you can clearly see that the secpol.msc tool does not show as much of the GPO settings as does the RSOP.msc tool. So, when you are checking certain settings, you need to work with the tool that best shows the results you are looking for.
As you can see, you have many options (not that this is an exhaustive list) to help check the status of security settings that you deploy using a GPO. These tools are all built in and are very useful. Of course, you must have the correct administrative privileges to run them, but when you do, you can easily see which settings have applied, which have not, and the potential reasons for them not applying.