GPO Explorer – GPO Test Details

Some of the Features and Tests listed here are only available in NetTools v1.31.4 and above.

The GPO Explorer Test feature provides similar functionality to the retired Microsoft GPOTool.exe utility.  This post provides the details of the completed tests and how the results are compared to the other selected DCs.

The test feature appears in two locations in GPO Explorer, one as a tab on the individual policy details and the other at the domain level to test multiple GPOs simultaneously.  While how the results are displayed is different between the two test types, the same testing is completed for both instances.

The Domain option looks like this and provides a very similar output to the retired GPOTool.exe.

GPO Testing Results

The individual test looks like this:

GPO Testing Results - Individual

DC Selection

By default, the tests are performed against all the DCs in the domain. However, it's possible to define which DCs you want to include in the test.  The Domain level test, as shown above, provides a list of DCs that have been discovered; you can limit which DCs will be included in the test by selecting as required DCs.  This selection is then used for both the Domain and Individual tests.

Test Details

The testing is completed in two phases; first, the details are collected from each of the selected DCs, and then in phase two, the captured details are compared across all the selected DCs.  The first selected DC in the server list is used as the source, and all the other DCs are compared against this DC; you can change this by using the context menu to move another DC to the top of the list, which will be used as the source DC.

During the Collection phase, the following details are captured and tests performed:

  • Display Name of the Policy
  • Sysvol Path
  • Functionality Version
  • GPO Flags
  • GPO Version Number (User and Machine)
  • WMI Filter assigned
  • GPO Machine Extensions
  • GPO User Extensions
  • When Created
  • When Last Changed
  • AD Permissions
  • Number of sub-AD objects under the GPO for both User and Machines settings
  • Check the Sysvol path is accessible
  • Capture the security permissions of the root of the policy folder
  • Check that the trustees assigned Apply Group Policy right in the AD have access to the following location in the Sysvol path:
    • The root of the policy folder
    • GPT.ini
    • User folder
    • Machines folder
  • Capture the GPO version details from the GPT.ini file (User and Machine)
  • Capture the file count, total file size, and directory count for these sub-directories:
    • Machine
    • User

Once the details have been captured from all the selected DCs, phase two will compare each value to confirm the details are the same across all the DCs.  If there are any differences, it will report an error, or the traffic lights indicators for the test will be Red.   The Compare phase, in addition to comparing the details captured in phase one, will also complete the following tests:

  • Compare the AD DACL ACE Count
  • Compare the Sysvol DACL ACE Count
  • Confirm the ACE in the Sysvol DACL are in the same order
  • Compare the AD Security Descriptor
  • Compare the Sysvol Security Descriptor
  • Check for duplicate ACEs
  • Check the order of the permissions

The Individual test option displays the results as pass\fail and doesn't provide much detail on the reason for the failure.  However, the Domain level test provides details of the captured information and failure details when the Display Policy Details option is selected before running the test.

If any AD replication tests fail, you can select the individual GPO and use the Context Menu option to run a Check AD Replication test on the GPO AD object; this will automatically populate the Attribute Replication test for you.

Check AD Permissions

Debug Option

The GPO test also provides additional debug information in the Domain level test, which is helpful if you are trying to diagnose ACL issues as reported by the GPMC Status report.  This debug option is not enabled by default and can only be enabled by manually editing the NetTools.ini file.

  1. Open the NetTools.ini file
  2. Search for [SavedOptions]
  3. Add GPODebug=true after the heading