Group Policy Preferences: Understanding “Run in Logged on User’s Security Context” Sept. 26, 2019, 4:29 p.m.

Every preference item applied is processed under the local SYSTEM account. This applies to preference items created under both the Computer and User Configuration nodes. When you select  “Run in Logged on User’s Security Context”, the security context is changed from SYSTEM to the current logged-in User. This is a huge distinction when you are creating preferences for Files, Shortcuts, or Drive Mappings.

windows group policy

A Treatise on Group Policy Troubleshooting–now with GPSVC Log Analysis! April 10, 2019, 3:09 p.m.

This guide outlines basic steps used to troubleshoot Group Policy application errors using the Group Policy Service Debug logs (gpsvc.log).

Enable by setting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\GPSvcDebugLevel REG_DWORD to 30002 (hex), and ensure %windir%\debug\usermode exists. The gpsvc.log log will be created in this directory when updating group policy (eg gpupdate /force).

windows troubleshooting group policy

Global Object Access Auditing is Magic Nov. 1, 2018, 3:55 p.m.

Global auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. This means that instead of manually altering and maintaining SACLs on 10TB of shared files, you can instead define them implicitly and not actually modify the files at all. You can then troubleshoot an unexplained file deletion, see who keeps changing permissions on a folder, or satisfy an auditor.

active directory security windows group policy

Getting the Effective Audit Policy in Windows Nov. 1, 2018, 3:50 p.m.

You should not trust any of the Group Policy reporting tools when it comes to audit settings. There’s only one safe bet and it’s this command: auditpol.exe /get /category:*

active directory security windows group policy

Troubleshooting Group Policy Using Event Logs Sept. 28, 2018, 8:53 a.m.

Most of the events in the Group Policy operational log appear in pairs. For each start event, there is an end event. End events can be successful, warning, or error events. Usually these events share the last two digits in their event ids. For example, a 4017 event appears in the event log, which represents a Group Policy component beginning a specific action. If the action completes successfully, then the Group Policy service records a 5017 event. If the action completes with errors or fails then the Group Policy service records a 6017 or 7017 event, respectively. Policy processing events use the same numbering scheme for warning and error events messages in the 8000–8007 range for Group Policy success events. You can use these numbering patterns to quickly identify warning and failure events in the Group Policy operational log.

active directory windows group policy

CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences? Sept. 17, 2018, 5:12 p.m.

Here is a quick run-down of how Create, Replace, Update and Delete behave in Group Policy Preferences.

active directory windows group policy

List Group Policy Client Side Extensions Sept. 4, 2018, 3:50 p.m.

The order of Client Side Extensions are the order you see in the registry, and that is the order you see in my list as well. But, yes normally there is a but as well Smile the first CSE to be applied is {35378EAC-683F-11D2-A89A-00C04FBBCFA2}, this is the one for Registry/Administrative Templates this also includes if you write an ADMX template on your own, this will be applied first.

function Get-GPClientSideExtensions {
    Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | foreach {
        $guid = ($_.Name).Split("\") | Select -Last 1
        $props = Get-ItemProperty $_.PSPath

        # Guessing CSE name in order (default), ProcessGroupPolicy, ProcessGroupPolicyEx
        if ($props.'(default)') {
            $description = $props.'(default)'
        } elseif ($props.ProcessGroupPolicy) {
            $description = $props.ProcessGroupPolicy
        } elseif ($props.ProcessGroupPolicyEx) {
            $description = $props.ProcessGroupPolicyEx
        } elseif ($gpeGuid = "{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") {
            $description = "Administrative Templates"
        } else {
            $description = "Error guessing CSE name"

        [PSCustomObject] @{
            GUID = $guid
            Description = $description
active directory powershell group policy

The effects of GPO version numbers on Group Policy replication Oct. 18, 2017, 4:20 p.m.

There are two portions of every GPO. The Group Policy Template (GPT) is stored in the SYSVOL of each domain controller and the Group Policy Container (GPC) is stored in the Active Directory database. Each of these GPO portions has an associated version number that keeps track of how many changes have occurred to the computer and user portions within the GPO.

active directory group policy

Understanding the GPO version number Oct. 17, 2017, 7:38 p.m.

If you've ever poked around to look at the raw GPO version number, you've probably wondered why is the number so huge and how does it get displayed as a much smaller value when you view the version number using GPMC.

active directory powershell group policy windows

[MS-GPAC]: Group Policy: Audit Configuration Extension Oct. 16, 2017, 1:56 p.m.

Documentation for Group Policy: Audit Configuration Extension, which provides a mechanism for an administrator to control audit policies on clients.

active directory documentation group policy windows

Group Policy: Inside ADM and ADMX Templates for Group Policy Sept. 27, 2017, 4:33 p.m.

The Administrative Templates node appears on both the User and Computer sides, but where do all these magical settings within Administrative Templates come from That's where ADM files come into play.

active directory windows group policy

Advanced security auditing FAQ Sept. 19, 2017, 8:31 a.m.

If permissions are configured for an object, its security descriptor contains a DACL with security identifiers for the users and groups that are allowed or denied access. If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding Object Access audit policy setting has been configured and applied.

windows group policy security

Configuring your PDCE with Alternate Time Sources May 23, 2017, 4:21 p.m.

By making the primary NTP server flag 0x9, we made it Client 0x08 + SpecialInterval 0x01 and as for the second NTP time server. By making the secondary NTP peer flag 0xa, we made it 0x08 Client + 0x02 UseAsFallbackOnly. On initial sync during service startup the polling interval time is zero which will not match the special polling interval that our 0x01 flag requires. This being the case w32time will use the Fallback server as its primary choice until the special polling interval arrives then it will use the intended primary server.

windows sysadmin group policy

How to create the Central Store for Group Policy Administrative Template files in Windows Vista May 8, 2015, 5:50 p.m.

This article describes how to use the new .admx and .adml files to create and to administer registry-based policy settings in Windows Vista. This article also explains how the Central Store is used to store and to replicate Windows Vista policy files in a domain environment.

tutorial windows group policy sysadmin