Group Policy Troubleshooting: GPOZaurr Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] we are on Group Policy troubleshooting part two in part one I introduced a marvelous Powershell module called GPO zurr he gives it a a name of Group Policy eater this Powershell module is so comprehensive and is so welld designed that I decided to use it as a framework to show you how you control a shoot group policies there's a total of 15 different fundamental principles that this Powershell module goes after to analyze give give you a report on and then show you how to fix those 15 different problems now the first video I spent all my time really walking you through the hdmr report that the Powershell module gives you how to tackle each and every section how to analyze it how to look at your report how to repair all of that I took a great deal of time just so that you are comfortable with what the poh module does and how to use it so in this second video we're going to quickly go through those last 12 and hopefully you are now comfortable with how to approach troubleshooting and have a better understanding of some of the major issues that can cause you problems with group now I've ran my group policy eater module commands and you can see it's run the analysis I now have an HTML report we're going to start with G permissions consistency what do we mean when we talk about GPO permission consistency when I as a domain administrator create a group policy I am putting data in the active directory domain partition there going to be G metadata that goes in there there's going to be acl's Access Control lists that are going to be in that metadata I'm also going to put files and folders on the CIS fall account there's going to be a good folder that represents that gopo there's going to be a top level ACL that's on that GPO and all the files and folder that are inside do they inherit that top level permission set so that we don't have permissions in The Meta data different than what the ACLS that are going to be on the cisf fall account so notice the graph on the right if you have red in your chart you've got inconsistencies you've got either inherited rights not being the same as top level or whatever so you need to look at your report and help determine what is the problem and where do you need to focus on so here in my spreadsheet view I see that my gpos over here on the left and I see my ACL consistency is all true and green my ACL consistency inside is all true and green if it wasn't then I would have the steps to solve those problems I could prepare a report go next start using some of these permissions that will allow me to repair some inconsistencies go next and here are some of the inheritance now here it says this step is manual until some kind of automation is developed so here you would have to try to figure out your inheritance issue if this was where you had the problem this check just makes sure that you don't get out of sync between your acl's on metadata and your cisf fall count keep in mind in the repair step always leave the whatif parameter in until you're ready and feel comfortable to remove move it and then go ahead and execute it our next test is the duplicate CNF Group Policy CNF stands for conflict it simply means that you had two domain administrators who are modifying this gopo at the same time on two different domain controllers ad does not overwrite this if it doesn't if it hasn't had a chance to replicate instead it renames one of the objects and appends it by giving it the CNF and it allows you to go in manually and fix this conflict again the repair step has the what if parameter in you can run it and take a look at it before you go ahead and remove the dash what if parameter since gpos and OU are really the heart and soul of group policies and group policies want to see either users in a OU or computers in a OU or both in an OU gpos will not impact anything in an OU if it's it's not a computer and it's not a user do you have gpos that are linked to OU and there's nothing in them that can happen over time your active directory can get messy and this gives you that option to really clean up make sure that you have gpos attached to OU that have either computers or users inside so this test is going to be looking at those policies this is a great cleanup operation on your active directory and your gpos to make sure that you don't have these typ type of situations if you look in the right pane of the HTML report he makes some cautions he says unlinking gpos from OU that have no computers or users inside is a fairly safe exercise removing an OU requires a bit more Deep dive and should only be executed if you know what you're doing if you'll notice in this report this spreadsheet I've got a highlighted OU and that OU I created is called No GPO and it's an o you that I can drag and drop a user or a computer in and I don't have any group policies assigned to it so if I've got something going on in my environment and I'm suspecting it's a GOP problem one of the ways I can do is grab that user grab that computer and throw them in my no GPO oou reboot the computer and see now that all gpos have been relinquished from that computer is it acting normal again that's just my own decision to have that and you can see it's letting me know it doesn't like it it's not a problem you can do this just be aware is highlighting the fact that I've got an OU with no GOP and of course the repair this command will then execute it runs a a cleanup procedure that unleaked from organizational units that have no users or computer objects and so again it has the dash Whata if so do that first before you remove that what if our next test is called group policy summary this is kind of cleanup part two so every time an administrator adds more and more group policies as business requirements change due to either neglect or thinking it may serve a purpose later a lot of group policies just have no value at all either the GP is not linked to anything or just stays unlined forever or the GPO is linked but the link r disabled or the GP is totally disabled there can be group policies that are targeting certain groups or persons and that group has been removed leaving the GP doing nothing so this is looking at kind of the overall you can see I got a lot of red in Mine mine's a training domain so I've got like eight group policies that are not optimized I've got three that are not valid my report card is not good here what does it mean that my group policies are not optimized so here under Group Policy object node I'm going to go to one of my group policies I was actually preparing this gopo for one of my videos and it's concerning bit Locker well it's a computer only Group Policy it does not impact users and if I right Mouse click and I look at GOP status it is enabled it's not doing anything which is one of my bad report card elements but I should have said use user configuration settings disabled because it's not going to impact any users and I've got it set to do so all the configurations are strictly for computer not for user so by doing that notice my status is that the user configuration settings are disabled it will actually run faster so that's what it means by optimized pay attention to this test this analysis of your group policies make sure you clean up as many of these problems as you can if you have these nonoptimized gpos it'll actually help the performance of logons for your users as you get to the repair section make sure you do a backup this is one place I would make sure I do a backup before I move forward and fix some of these issues in the repair section of this test lots of good information make sure you do your reading and due diligence any information highlighted in red I would read that he provides scripts not only for a single domain but multi-domain situations again be careful make sure you read carefully the information supplied by this module before you execute [Music] anything [Music] now our next test is Group Policy links and allows you to look at your group policies and see how many OU you have linked to this particular GP you can see in my spreadsheet view I have a default domain policy and it's linked only to The Domain then my remote Event Viewer and RPC firewall GPO is linked to five OU and then I have some of my gpos that are linked to six OU so it's a great way to look at your gpos how many os are you linked to are those links enabled or are they disabled so you want to look at that that's a great way to look at your GP strategy to see your link your link enable and your link disabled the next test is Group Policy passwords I don't have any such scenario so mine is blank we're now looking at group policy permission analysis when gpos are created there's a handful of standard permissions and those are n Authority authenticated users domain administrators and Enterprise admins with edit delete and modify permission and then of course a system account with edit delete and modify permission if this is not standard in your GOP structure you're going to have problems so when you run the report you're going to get your graph showing you your visible permissions overall permissions administrative authenticated users system permissions and then if there's any unknown permissions in your group policy structure it's going to highlight those so again if you're missing authenticated users or admin groups or system the scripts are there so that you can add those groups get them back to default status in terms of permissions he even provides a script that will allow any unknown permissions from your structure so you just run it again always use the wh if and then go ahead and remove it and get rid of those unknown permissions the next test that he runs is called the CIS fall file list it really isn't a diagnostic but it is a nice spreadsheet analysis of what you have on your CIS fall folder so here you can see my spreadsheet view of all my cisv files you can export that out in Excel CVS PDF nice nice features especially if you want for some documentation this is a great way to pull that information off it shows you that this particular policy is based on an admx template it gives you attributes gives you creation time last access time and last right time a lot of great information especially for documentation before we leave this cisv fall netl L on file list just be aware this is every file on those two shares on your domain controller cisf fall and your net logon here is my domain controller you always have a net logon share and a cisf fall share and this test or this documentation shows you every file you have on your net logon share and your CIS fall share you might be surprised at how many you have the spreadsheet is busy and the font is very small but you do have a lot of information here I'm going to come down I've got over 447 entries into this spreadsheet I'm up to 436 of 447 so I'm almost to the end of my files and you can see things are starting to change this particular file belongs to a GOP if you go back to my first list of files this file doesn't belong to a GOP so just just be aware notice the file extensions P that is going to be a policy that edits the registry because it's a PO extension I see Ain I know that's a security policy there's a lot of information in here that I can glance at but just be aware this is a great way of documenting what's on your net log on your cisf fall gives you enormous amount of great information you might want to pop through it in my case I've got 447 entries it's going to be many pages if I print it our next test that we run is a look at our policies to see are any of them being blocked via inheritance naturally we have inheritance invoked so if we set a policy at the Domain level it should be inherited by OU below it this is going to reveal do we have any of those and you can see mine is born there's no blocked inheritance in my structure let me go ahead and turn on blocked inheritance we'll come back and run this test and you'll see my report will look different so let's take a look here's my group policy management I'm going to come to an oou right Mouse click and notice I have the option to block inheritance notice I get an icon here I'm going to come to a couple let's go to home Labs block inheritance and home PCS block inheritance this prevents anything at the Domain level from automatically coming down into those OU this can get you in trouble this is a approach that is appropriate for certain applications but also can create security problems let's run a report again and let's take a look at it okay this is a fresh report I'm going to come up to group policies blocked inheritance voila you can see there's a lot of change so now it has paid attention to the fact that I've blocked inheritance group policies at the Domain level may or may not come down to certain OU and it's letting me see that clearly here so blocking group policies being inherited by subus is not bad it just has to be done very carefully here's the normal way that group policies work let's say the root here in this graphic is our domain and I've set a password policy a and I've also set an Internet Explorer setting we'll call that c this sub OU has a firewall policy called B now these subus user and computer now because of inheritance now have a group policy of a b and c they've inherited from the domain the parent the process of inheritance has pushed each of those policies down to U that are in the hierarchal structure of that domain here's the same thing so if I have a domain policy and here's my domain and I decide it sales to block this policy up here from my managers from my sales reps and from my sales admin it stops it from being inherited this is a appropriate for certain scenarios but it also can add security risks again to block inheritance you just go to an OU right Mouse click and check the block block inheritance you will get an icon indicating so you can clearly see when inheritance is being blocked okay Mr V you've made it sound pretty bad no let's take a look at some of the reasons for blocking inheritance you have a specialized security requirement on an OU that's different from the rest of the domain there's one way you would block inheritance you have a different software configuration for an OU that's different from the parent OU you had a testing development environment user specific policies password policies would also allow you to block inheritance say from the overall domain in a multinational corporation is location-based policies policies that you set in your European environment may be very different than in your Asian environment temporary policy changes you could stop inheritance just for some testing reason or to avoid disruption you could have an educational training environment OU in which you're going to block certain inherited group policies you could have compliance where because of compliance you got point of sale that are under PCI compliance so because of those point of sale devices you have to block inherited gpos and then Legacy systems because of their need but their legacy you may want to block certain so there are Justified reasons for blocking inheritance we have three more test let's wrap this up the next one is called Group Policy content it's really not analysis it has no repair features it basically shows you all the types of policies that you have set up right now and gives you ton of information in my case I do have an audit Group Policy bit Locker Group Policy you can come through here and see all the different various types I've got a Windows update I've got a couple Windows Powershell got some firewall rules so it's just showing you all the types of group policies you have and it breaks down all the information about each of those again you can export that in Excel CVS PDF and again build documentation the group policy content is simply great for documentation it allows you to really get a lot of information about your gpos export them into any format you want and build again that great reporting our next step is net logon owners remember net logon is a share on a domain controller it's used by Group Policy objects keep in mind the ownership should be the built-in administ anybody owns files or is the owner of files that's outside of the built-in administr that needs to be changed this report's going to highlight it it's going to let you know and it's going to give you the scripts to repair it now our last test covers net log on permissions now this is not ownership this is just the permissions assigned to the files on the net logon share these can vary you want to pay attention to what permissions are applied to those files so that the wrong users or groups don't have modify rights or write permissions or all those disastrous type of permissions on your domain controller Group Policy net logon share this again is just going to analyze report it and give you some scripts to fix it all right Mr interpool are all my troubles and problems with gpos covered in this two video series absolutely not but you did get some solid good foundational steps and procedures to follow when you set up your group policies so that you'll find you're much more consistent fewer errors fewer problems s especially if you're inheriting a company you're brought in as an administrator there's been six administrators before you and here you sit with 400 gpos and you don't have a clue of what you've got there this is a great way to analyze those clean up any messes or inconsistencies get things in order just a quick reminder if what we produce here at Tech savy Productions on our YouTube channel is beneficial to you I encourage you you join the channel it's $2.99 a month it's less than a cup of coffee a month but your membership really helps support the costs that are required to make this channel we encourage you no matter whether you're a member or not put in comments feedback in our comment section take advantage of our notes our PowerPoints [Applause] [Music] [Applause] oh

Info

Channel: TechsavvyProductions

Views: 951

Rating: undefined out of 5

Keywords:

Id: ftpIoURqC8U

Channel Id: undefined

Length: 23min 4sec (1384 seconds)

Published: Wed Jan 03 2024