SUMMARY

When you are troubleshooting the application of a group policy, it may be necessary to validate that the appropriate objects are in the Active Directory and that the file structure is correct in SYSVOL on each domain controller on which the Group Policy Object (GPO) is replicated.

A key piece of information in this process is the Globally Unique Identifier (GUID) associated with the GPO. This article discusses identifying a GPO with its GUID.

back to the top

Determining the GUID of a GPO Using the Properties of the GPO

1. Using the "Active Directory Users and Computers" or "Active Directory Sites and Services" administrative tool, click Properties on the context menu of a domain, site, or organizational unit object in the Active Directory.
2. Click the Group Policy tab, click the GPO, and then click Properties. The Unique Name field contains the GUID of the selected GPO. Also note the Domain field. This is where the GPI is stored, even though it may be used (linked to) by other domains.

back to the top

Identifying the File-Based GPO Structure on the System Volume

1. On a domain controller in the domain identified above, determine which drive hosts the system volume (Sysvol).
2. Using Windows Explorer, open the Sysvol folder.
3. The following folders exist: Domain, Staging, Staging Areas, and Sysvol. Change to the Sysvol folder.
4. A folder with the name of the domain that the local domain controller is a member of should exist. Change to the following folder:

   Path to Sysvol\Sysvol\DomainName\Policies.

   A folder for each GPO created in the domain, each identified by its GUID, should exist.
5. Open the folder identified by the GUID of the GPO that you recorded in the previous section of this article.

Note: The Group Policy structure on the system volume contains a Gpt.ini file that contains version information (of the GPO) and other optional data. Additionally, the file-based policy is broken into Machine and User folders with the appropriate policy for each. An Adm folder may also be present when software policies (administrative templates) are being used.


Without access to the properties of a given GPO, the administrator can use other methods of attaining either the GUID for a known GPO or the friendly name of a GPO of which the administrator has the associated GUID.

back to the top

Identifying the GPO in the Active Directory Using Search.vbs

Search.vbs is a Microsoft Visual Basic script that is included in the Support\Tools\Support.cab file on the Windows 2000 retail CD-ROM. You can use this script to perform an LDAP search against the Active Directory and either display or output the results to a text file.

To resolve a GPO name to a GUID, type

where mydomain and com is the correct domain name.

The output displays how many objects were found (there should be only one in this case--a specific GPO) and presents the value for the Name attribute for each object found. For example:

To resolve a GUID to the name of a GPO, type

replacing mydomain and com with the correct domain name and replacing 31B2F340-016D-11D2-945F-00C04FB984F9 with the appropriate GUID.

The output displays how many objects were found (there should be only one in this case--a specific GPO) and presents the value for the DisplayName attribute (the friendly name seen in Administrative Tools) for each object found. For example:

back to the top

Identifying the GPO in the Active Directory Using Ldp.exe

NOTE: Ldp.exe is a Resource Kit utility used to view and modify objects and their attributes in the the Active Directory. Other utilities can be used to accomplish the same result.

1. Run Ldp.exe from the Support\Reskit\Netmgmt\Dstool folder on the retail Windows 2000 CD-ROM.
2. On the Connection menu, click Connect.
3. Type the server name, verify that the port setting is set to 389, click to clear the Connectionless check box, and then click OK. Once the connection is complete, server-specific data is displayed in the right pane.
4. On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:'YourUserID'" in the right pane.
5. On the Browse menu, click Search.
6. In the Base DN box, type

   dc=mydomain,dc=com

   replacing mydomain and com with the appropriate domain name.
7. In the Filter box, type

   (&(objectClass=groupPolicyContainer)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))

   replacing 31B2F340-016D-11D2-945F-00C04FB984F9 with the appropriate GUID if you have the GUID and are looking for the friendly name of the GPO.
   
   Or, type

   (&(objectClass=groupPolicyContainer)(displayName=Default Domain Policy))

   replacing Default Domain Policy with the appropriate GPO name if you have the friendly name and need to resolve the GUID.
8. In the Scope frame, click Subtree.
9. Click Options. In the Attributes box, type displayName if you have the GUID and are looking for the friendly name, or type name if you have the GPO name and need to resolve the GUID.
10. Accept all other defaults, click OK and then click Run. After the query completes, the Distinguished Name (DN) of the object found (there should be only one in this case) and the value of the attribute requested in the query are displayed in the right pane.

back to the top