4 Steps to Troubleshooting Group Policy

(Last updated on February 5, 2021)

A customer called recently who was having some pretty basic troubles with Specops Deploy.

What struck a chord with me was how important the simple, basic steps are in troubleshooting Group Policy. Sure, there is plenty of complex stuff to work through but if the process always begins with simple, known good steps, the chances of a quick resolution are much greater.

The problem was the client machine wasn’t processing policy data for this specific extension, in this example Specops Deploy.

Here is a four-step guide to troubleshooting Group Policy. These are the same steps I would follow with any third-party client-side extension to GP.

1 – Confirm CSE is installed

This is a great place to start. Open Programs and Features in the Control Panel and look at the list of installed programs. In this example “Specops Deploy Client Side Extension (x64)” was in place and looked fine.

Confirm CSE is installed

2 – Quick check on GP Health

Rule out odd stuff by running GPResult. This command line tool is essential. It shows all GPOs that processed for both Computer Settings and user Settings. It will also show GPOs that show errors or filtered out for whatever reason. The ‘SDCSE’ processed on the system and did not throw any errors, see below.

Quick check on GP Health

3 – Check the Event Log

Event IDs 4016 represent the ‘start’ of a Client Side Extension processing and Event IDs 5016 represent the end. If the CSE fired off and succeeded it will be shown here. Kick off a manual GP refresh with GPUpdate so that you get a clean set of events at the top to look at. You can also track down a nifty little tool called GPLogView – that is a post for another day. After going through the 4016 events below it was clear that the Specops Deploy CSE wasn’t firing for some reason.

Check the Event Log

4 – Check the CSE registrations

All Client Side Extensions (CSEs) are registered with Winlogon in the registry. You can navigate down to HKLMSoftwareMicrosoftwindows NTCurrentVersionWinlogonGPExtensions in the registry editor and find the list of extensions present on the system. Just roll through these looking for the DisplayName for the extension you are troubleshooting. In this case there was not an extension for the Specops Deploy CSE. It turns out the package was modified when the customer was experimenting. They ended up using the wrong package for deployment and it failed, even though it appeared to work. Errors installing the correct client package will show in the Event Log in step #3.

Check the CSE registrations

Simple, four things to look at, confirmed there was a problem with the client installation. Re-installed the CSE and all policy settings applied as expected.

Tags: , ,

Back to Blog