If you are like myself, you don’t get to work with Active Directory Group Policies very often, as a matter of fact the AD guys make it a point to keep us away form managing GPOs in any shape or form. It could get challenging to troubleshoot security issues that stem from restrictive GPOs not only because you can’t look at them directly, but also because settings will cascade, overwrite and exclude one another depending on OU and security filterings.
Couple of neat tricks:
To make sure GPOs are applied, run gpupdate /force from command line, then reboot you machine:
It helps quite a bit to see all the settings are actually being applied, and we no longer have to wait on the AD guys to give us Resultant Set of Policies *RSOP) report. Just fire up powershell on the server you are workign with (Windows Server 2008), and issue rsop.msc.
I find this one quite helpful, not only because it gives you a quick overview of the settings that are being applied, but also takes care of the GPO precedence, fitering and all other things that make GPOs complex. Not only that, but it also highlights the ones that have errors being applied, like this one for example.
Finally, if you need to just save a classic report and e-mail it out, go to command line and issue gpresult /h C:\report.html
This will save your applied GPOs in a nice html format. The active directory guys can keep their job, and you can keep yours :).
