Troubleshooting issues arising out of local security policy or group policy can be a challenge.
If a change does not seem to take effect on
I can't count the times these RSoP viewers have saved me. Being able to quickly find the effective setting on a specific policy element and know immediately in which exact GPO that setting was defined will save you hours of blind searching.
And don't forget the new Group Policy Management Console for Windows 2003 Active Directory domains. I discussed that tool in a tip a few weeks ago.
Many problems arise from the fact that changes to the local security policy may take immediate effect, only to be repealed once the domain (site or OU) GPO is refreshed after 90 minutes. Changes that seem to work immediately but get lost after an hour and a half are usually due to this artifact. Once again, only make changes to an AD container GPO for domain clients and to the local security policy for standalone or workgroup clients.
When troubleshooting a GPO-related issue, first attempt to boot the system without a domain connection using a local user account. Check the local security policy to see if it has conflicting or incorrect settings. Keep in mind that GPOs are applied in LSDOU order, so even if there is a bad setting in the local security policy, it may be overwritten by an AD container-level GPO.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
Do you have comments on this tip? Let us know.
This was first published in November 2004