I realized when discussing this with my colleague Heather that it could make an interesting post. What we found interesting was that we typically *assume* some baseline knowledge when we work through tricky situations with our customers. We shouldn't. We should make sure to check all of the basics and walk people through common steps.
So, here is the story
I was working with a customer who was having issues with getting Specops Deploy to work as they expected. Now, even though this was troubleshooting Specops Deploy it demonstrates the same steps for just about any third part extension to Group Policy.In the first 30 seconds of our discussion I realized that seeing what he was looking at going to be key to me helping out as efficiently as possible.
My customer, let's call him Bob, shared out his desktop.
I connected to Bob's desktop and he was showing me multiple systems. a full client running Windows 7, a Virtual Machine running Windows 7 on Huper-V a couple of servers. The full client was running fine and the Virtual Machine was not processing Group Policy, at least that was the report from Bob. We really only needed to look at the client that wasn't working.
"It's just not working, it should work without questions, I didn't do anything wrong just followed the steps... I'm really frustrated" said Bob
"No problem Bob, we'll get to the bottom of it" I said (with as little doubt in my mind as I could muster). Supporting folks is difficult in that you can't be as honest as possible or you quickly turn into that obnoxious IT guy Jimmy Fallon played on Saturday Night Live (Nick Burns IT Guy).
We looked at the Programs and Features Control Panel on the client that wasn't working. Everything looked fine.
OK, so this looks fine... what's next?
"Alright Bob, do we know if GP is working on this machine?" I asked.
"Sure" he said "what do you want me to check?"
"Open up an elevated command prompt and run gpresult /R" I requested.
"OK Bob, that looks good, lets take a look at the event logs, specifically the GP Operational Log."
"hmmm, you'll have to show me that one, I'm not sure I know what you are talking about" said Bob
"No problem Bob, it is a bit buried. It is full of great Group Policy information and all the other noise is filtered out... its a great place to look for issues"
"You can find it in the Event Viewer under 'Application and Services Logs\Microsoft\Windows\Group Policy\Operational, make sure to open the Event Viewer as Administrator."
Bob clearly hadn't seen the Operational Log before so this could be a good learning experience! But he found it and got it opened for us to look at. I requested Bob run GPUpdate /Force on the client so we get a fresh set of GP related events at the top of the screen.
"It's not there." he said.
"Strange, Programs and Features shows it installed, GP processing is working fine without error but there is not a specific event showing the Specops Deploy (or other third party extension) executing. do me a favor Bob, let's look at one more thing before we reinstall the CSE." I suggested.
"I want to look at the CSE registrations in the Registry on the client. Can you open up regedit.exe? Navigate down to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions. this is a list of all Group Policy CSEs registered on this client. Now let's navigate down to see if the Specops Deploy CSE is registered in there."
"OK Bob, looks like something went south with the installation of the CSE, don't know why but its not there" I said
"You know when I did the install I decided to extract the individual CSE from a larger package. I had done some clicking around and messing with it to learn what I was deploying. I guess I could have messed something up."
"No problem, I'd suggest go ahead and reinstall the CSE. Make sure to get a current good version and deploy it as intended, there is some good guidance in the Specops Deploy documentation. I've got to jump on another call. Go ahead and reinstall and let's catch up in the AM to see how it worked out!" I suggested.
"No problem Kevin, thanks for your help talk to you tomorrow."
I got an email from Bob in about 15 minutes. He had reinstalled the CSE and everything worked fine. he was happy for the additional information on the GP Operational log, the GPExtensions registration in the registry and the GPResults report.
Ultimately it was pretty straight forward but it is always great to get back to the basics of Group Policy. It is a very logical system and if you follow the troubleshooting steps you will find what it is that ails you!
